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(54) Email access control scheme for comnMiicafion netwrnk usnig ktentificsAion eo n oea im ent 
mochsrtfsm 



(57) An email access control scheme capsdsle of 
resolving problems of the real email address and ena- 
bling a unique identification the 4den% of the user 
while concealing the user tdentrfication is disclosed. A 
personalized access ticket containing a sender's identt- 
fication and a recipient's identification in correspond- 
ence is to be presented by a sender who wishes to send 
an email to a recpient so as to specify the rec^ent as 
an intended destination of the email Then, accesses 
between the sender and the recipient by v^ifying an 
access right of the sender with respect to the recipient 



aooofdffig to the pereonafased aooesa MeA ata eecttfe 
oommwifcafton sefvice. Ateo, an officiaf idenGRcafion of 
each user by wf^ each user is urvquely idenfifi^e by 
a certifbation authority, and an anonymous identifica- 
tion of each user containing at least <»ie fragment of the 
official identification are defined, and each user is iden- 
tilied by the anonymous identification of each user In 
oomnufftications for emafls on a communlcalion n^- 
worK 
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Description 

BACKGROUND OF THE INVENTION 

FIELD OF THE INVENTION 5 

[0001] The present inverdion relates to an email 
access control scheme for controlling transmission and 
reception of emails by controlling accesses for commLh 
nications from other users whose identifications on the io 
communicafion netmrlt are concealed while concealing 
an identffication of a reciptent on the commurncatjon 
nehMork. 

DESCRIPTION OF THE BACKGROUND ART is 

[0002] In conjunction with the spread of the Internet, 
the SPAM arxl the harassment using emails are drasti- 
cally increasing. The SPAM is a generic r^me for enfiails 
or news that are unilateraliy sent without any considera- 20 
tbn to the rectpienf^ time oonsumptioa economical 
and mental tMtdens. The SPAM usir^ emails are also 
known as UK (Unsolicited Bulk Emails) or UC£ (Unso- 
lidted COTimerctai Emails). 

[0003] The SPAM is sent incfiscrirmiately regardless 2S 
of the redpenfs age. sex. interests, etc.. so that the 
SPAM often contains an uninteresting or unpleasant 
content for the recipient Moreover, the time consump- 
tkm toad and the econonrvcal load required for receiving 
the SPAM is not so smaH. For the tsusiness user, the so 
SPAM can cause the lowering of the worldng efficiency 
as it becomes hard to find importam mails that are txjr- 
ied among the ^AM. Also, as the SPAM is sent to a 
huge number of users, the SPAM wastes the network 
resolves and in tiie worst case the SPAM can cause 3S 
the cverloading. As a result there case be cases where 
mails that are importanl for the user may be lost. Also, 
ttie SPAM is sent either anonymously or by pretending 
someone else so that there is a need to pnMde some 
human resources to handle complaints. 40 
[0004] On the other hand, the harassment is an act for 
keep sending malls with unpleasant contents for the 
user continually on the purpose of causing mental 
agony or exerting economical and time consunption 
burdens to the specific user. Similarly as the SPAM, the 45 
harassment mails are ser^ by pretOTding an actial or 
vbtual third person, so that the Mentification of the 
sender is <^rte <fiff icuft Alsa there are cases where a 
large capacity mail is sent or a large amount of mails are 
sent in short period of time so that there is a danger of so 
cau^ng the system breakdown. 
[0005] In order to deal with the SPAM and the harass^ 
ment the mail system ts required to satisfy the foikiwing 
requirements. 

55 

' Security 

It Is necessary to detect the pretending by the 
sender and refuse the delivery from the pretending 



sender. 
Strength 

It is necessary to linrvt the mail capacity in order 
to circumvent the system breakdown due to the 
large capaoty mail. It is also necessary to Rmit the 
nunto^ of transmissions in order to circumvent the 
system breakdown due to the large amount trans- 
missiorL 
Compatftdity 

It is necessary not to requirB a considerable 
change to the implenventatton of the existing mail 
system. 
Handling 

It is necessary not to requre a constderable 
change to the handling of ttie existtng mail system. 

The MTA (message Transfer Agent) such as 
sendmail and qmail detects the forgery of the enve- 
lope infomnrtion and the header information and 
refines ttie deGvery. The fUTTA also refuses mail 
receding firom a ma9 server wNch is a source of 9ie 
SRAM by referring toihe so called Uack fist such as 
MAPS f^L The MTA ^so detects the transmission 
using someone else^ real em^ address and 
refuses ttie defivery by carryir^ out the signature 
verificaSon using PGP. S/MIME. TLS. e*c. The MTA 
also limits the message l^igth by partial deletion of 
the message text 

One of the causes of the SR^ and the tsifass- 
ment is the reed emai adcbess. and the real email 
address is associated with the foflcM^ng problems. 
User's identity can be guessed from real email 
address: 

The real em^ address contains an information 
useful in guessmg tt^ identity so that it can be used 
in selecttfH} the harassment target Fxx example, 
the place of emptoyment can be identified from flie 
real domain. Also, fine rame and the sex can be 
guessed from the user name. 
Real emai address can be guessed from user's 
identity: 

The real email address has a universal format 
of [user name}@>[domain name] so ttiat the real 
email actress can be guessed if the user's id&itity 
is krK)wn. without an eoqi^lictt Imwiedge of the real 
email actelress itself. For example, if the user's real 
rame is known, the candidates for the user name 
can be enumerated. Also, it the user's affiliation is 
knowa the candidates for the domain name can be 
enumerated. Even in the case where the user name 
is given by a character string which is totally unre- 
lated to the real name, if the naming rule for the 
user name is kiown, the user name can be 
guessed b^ trial and error transnisstons. 
Real 0nail address is transferrable: 

The real email address can be trar^nred from 
one person to another, so that mails can be trans- 
mitted even if tiie real emaS address is not taugN by 
tiie holder himself. The transfer of real email 



2 



3 



EP0946022 A2 



4 



ackiress through mails includes the following cases. 
By specifying the other's real email address In the 
cc: Kne of the mail, that real email address can be 
transferred to af) the redptents specified in the To: 
line <A the mail. Also, by forwarding the mail that 
contains the real email address of the recipient 
specified in the To: line in the message text to a 
third person, that real email address can be trans- 
len-ed to the thinj person. 
F^l email addr^ is hard to cartel: 

It is difficutt to cancel the real email address 
becai^ if the real email address is cancelled it 
becomes inrpossible to read not only the SPAM and 
the harassment malls but also tfie iiT^)ortam mails 
as well. 

10006] Cypherpunk remailers and Mixmaster remail- 
ers which are collectively known as Anonymous remal- 
ers a sch^ne for delivering mails after encrypting 
the real enfiati address and the real domain of the 
sender. This sdieme is cafied the reply block. The 
encryption and decryption of the reply block uses a pub- 
lic key ar>d a secret Key of the Anonymous rmaila* so 
that it is drfficuit to Identify the real email address and 
the real domain of the sender for any users otfier than 
the s^er. 

(0007] The Anonymous remailers also make rt drfffcult 
to transfer the real email address because it is difficult to 
ktontify the real email address. However, the reply block 
is translenfabie, so that reply mails can be returned to 
the sender from users other than the rec^ent. 
[0008] AS-Node and nym.alias.net which are collec- 
tively krxMm as Pseudonymous servers use mail trans- 
mission and reception using a pseudonym account 
uniquely corresponding to the real email address of the 
user. The pseudonym account can be artsitnarily created 
at the user side so that the user can have a pseudonym 
account from which the real email address is hard to 
g^ess. In addition, by the use of the reply block it is also 
possS)le to conceal the real email address and the real 
domain of the user to the Pseudonymous server. By 
combining these means, it can be made <fiff ici^ to iden- 
tify the real email address and the real dom^n of the 
sender for any users other than the sender. Also, the 
pseudonym account is canceOable so that there Is no 
need to cancel the real email address. 
[0009] The Pseudonymous servers also make it diffh 
cult to transfer the real email address because it is diffi- 
cult to identify the real email address. However, the 
pseudonym account is transfen^able so that reply mails 
can be returned to the sender from users other than the 
recipient 

[0010] in addition, in order to protect a recipient from 
the Sf^ and the harrassment, it is also necessary to 
r^ect a oonnectton request from a sender who are exer- 
cising such actioa For tNs reason, it is necessary for 
the oommunk:at}on system to be capable of uniquely 
identifying the identity of the sender. 



[0011] In view of these factors, the conminica&}n 
system is required to be C£9>abte of uniquely identifying 
the identity of the user while coiceaiing the real email 
address of the user (that is wfule guaranteeing the ano- 

5 nymity of the user), but in the conventional communica- 
tk>n system, it has t>een <fifficirit to meet both of these 
requirements simultsneously. 
[0012] Inord^toiderttifythekilentityof theuserbithe 
mail system, the real email address of that user m nec- 

10 essary. On the other hand, the Anonymous remailers 
deliver a mail alter other encryi:^ or deleting the real 
email address of the sender in order to guarantee the 
anonymity of the sender. In order to identify the identity 
of the serxler und^ this conditoi, it is necessary to 

IS trace ^e delivery route of the mail using the traffic anal- 
ysis, i-towever, the Anonynvjt^ remailers may delay the 
maS delivery or interchange the delivery orders of maila 
Also. The ^Ax^1aste^ remailers deliver the mail t^ dMd- 
ing it into plural t)k)cks. For this reason, it is difftcutt to 

20 tracethedeliveryroutebylhetrafficanalysis. andthere- 
lore the identifk»tion of tf« identity of the sender is dso 
CfiffiCulL 

[0013] The PseuctonynxxiS servers also utilize the 
Anonymous renmil^ for the mail delivery, so that it is 
25 possible to guarantee the anonymity of the sender but it 
is also diffkxilt to uniquely identify the identity of the 
sender. 

19014] Onttieolherhand. the German Signa- 
ture Law anows entry of a pseuctonym instead of a real 

30 nvne irte a (fii^tal o^iiflcGde lor goierating tl% (Sgptai 
signature to be used in commurication services. The 
digital certi fi ca te is urtiquefy resigned to the user so that 
the identity of the user can be uniquely ident^ed even if 
the pseudonym is entered. AisQ. tfie rl^ fornamffig ttie 

35 pseucfor^ is G^ven to the user side so that it is possible 
to enter the pseudonym from which it is difftcufttoguess 
the real nama 

SUMMARY OF THE INVENTION 

40 

[001 S] It is therefore an object of the present inventfon 
to pro^e an email access control scheme in a commu- 
nicaton n^worlt which is capable of resolving the above 
descried problems of the real email address which is 

45 one ol the causes of the SPAM and the hiarassment. 
[0016] It ts another object of the present invention to 
provide an email access control scheme in a cornmimi- 
cation network which is capable of enabling a unk;iue 
identificatfon of the identify of the user while concealing 

50 the user identificatfon. 

[0017] In order to resolve the problems associated 
with the transfer and the cancellation of the real email 
address, the present invention err^loys the email 
access control scheme using a personalized access 

55 ticket (PAT). In order to resolve the problem associated 
with the transf^ of the real email adcfress. the destina- 
tfon is specified by the PAT wNch contains both the real 
email address of the sender and a real email address of 
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the redpient Also, in order to resotve the proUem asso- 
ctatdd with the canceilation of the real email address, a 
validity period is set in the PAT by a Trusted Third Party. 
Ib&x, the mail delivery from tfm sender who presented 
the PAT with the expired valicfity period wii) be refused. 
Also, instead of canceiring the real emai address, the 
PAT is re^stered at a secure storage device managed 
by a secure communication service. 
[0018] In other words, the fwes«Tt invention controls 
accesses m units in which the real emaB address of the 
sender and the reed email address of the recif^er^ is 
paired. For this reason, even when the real email 
address is transferred, it is possS^le to avoid receiving 
mails from users to which the real ema3 address has 
been transf^ed as long as the PAT is not acquired by 
these users. 

[0019] Also, in the present invention, it is possft>le to 
refuse receiving mails without cancelfing the real emai! 
address t)ecause the mail defivery from the sender who 
presented the PAT with the expired validity period or the 
RAT tet (s registered in adatabase by the rec^ent will 
be refused. 

[0020] Alsa in the present invention, the mail receiv- 
ing can be resLffned vwthout re-acquiring the real email 
attiress tiecause the mail receiving can be resumed by 
dele^ the PAT from the above desaibed storage 
device 

[0021] Also, in the present invention, the time con- 
smiplion and economical loads recM'^ ^ ft\SLfi 
receiving or dowr^oacBng at the user side can be 
reefaiced because the transmission of mails are refused 
at ttie sen/er side 

[0022] In adcfition. the present Invention enrplpys the 
eneil access control scheme using an official identifica- 
tion (OiD) and an anonymous identihcation (AID) in 
order to make it poss&^e to identify the Wentity of the 
user while guaranteeing the anonymity of the user. 
[0023] Namely, in the present inventioa a certifk:ate in 
which the personal information is signed a secret key 
of the Tru^ed Tliird Party is assigned to eaidh user in 
order to iffuquely identify each user. This certificate will 
be relenred to as OID. Alsa a certificate whidi contains 
fragments of the OID infomiation is assigned to each 
user as a user ider^ier on a communication network in 
order to make it possible to kientify the identity while 
guaranteeing the anonymity of the i^er. This certiTicate 
wiD be referred to as AID. 

[0024] Alsa in the present invention, the OID recon- 
structed by judgmg the kientrty of a plurality of AIDs in 
CMder to identify the Mentify of the user. Also, the AID is 
contained in ^e PAT and the PAT is authentkated at a 
secure communrcation servk^e (SOS) in cnd^ to resolve 
the prc^ms associated with the transfer and the can- 
cellatk)nof the AID 

[0025] Also, in pres^ inverrtion. the AID is man- 
. aged in a directed whk^h is accessible far search by 
unspecified many and whk:h outputs the PAT containing 
the AID as a destination, in order to meet the user skle 



danarxi for t)eir^ to adrrst accesses fn^m unspeci- 
fied many v^th(»it reveaTing the own ^entity, 
{0026] in Ifvs way, in the present tnventk)a1heklentity 
of the user can tie concealed In the ma9 transmisston 

5 and receptksn because the AO) only contars fragments 
of Ihe OtD. Also, the kientity of the user can be con- 
c^led from unspeofied marQr even wtta^ the AID is 
registered at the directory servce which is SKxesstk)le 
from unspecified many. 

70 [0027] Also, ki the present invention, ttie kfentity of the 
can be identified probat>i8sticaIly reconstructing 
theOIDbyjudgingthe dentityof apttfalHyof AIDs. For 
this reason, it is po86S)le to provkie a measure against 
the SPAM and the harassment without rmafing the 

IS idmitity. 

[0028] Also, in the present invention. H is pos^e to 
adnnit accesses from unspecified many witfiout reveal- 
ing the identity, tjy managmg the AID rather than the real 
email address at ttie cfirectory arvl ou^puttkig tfie PAT 

20 contatn'rtgthe AIDasadestkiationattfie<firectory. 
[0029] More specifkaBy. aoooiding to one aspect of 
the preserrt invention ttiere is provided a method of 
email access control, omprismg the steps of: receiving 
a personalized access fttet containing a sender'is iderv- 

26 tification and a recipient's kient9k;a6on in correspond- 
ence, wNch is presetted by a sender who wishes to 
send an ema9 to a recipient so as to speedy tfie redpi- 
ent as an kitended <tostina&on of the emai, atasecive 
oommumcatioii service tof connedirig oommunicaliQns 

30 belwQoi the sender end ttie receiver; arKJ confroNng 
accesses t)e4ween the servtef and Ifierec^ent by veri- 
fying an access ris^ of the smler respect to tlie 
reopiwrt acooitfing to the peisonsdteed a o oess tickBt at 
ttie seciffB Gommxiicafion service. 

3S ({0O3O] Alsainthisa8pect<tf1hepresentinventk>n.at 
the controifoig step tfte secure oommurtication service 
ai^tieriticates the p&sonafized access tk^ket jxesented 
by the sender, and refuses a delivery of the email wtien 
the pmonaSzed access tk:l«et i^esented by the sender 

40 has been altered. 

[P031 ] Alsa in this aspect of the present invention, the 
personaSzed access ticket is signed asecret key of a 
secuTB processing tS&nce wtsch issued the personal- 
ized access ticket and at the controOing st^ the secure 

45 commuf^catlon servk:e authentk:ates the personalized 
access ticket verifying a signature of the secure 
processing device in the personalized access tk:ket 
using a pi^k; key of the secure processing device. 
[P032] Alsa in this aspect of the present invent, at 

so the receiving step the secure oommunicalton servk^e 
also receives the seer's ktentifkatkxi presented t>y 
the sender along with the personalized access ticket 
and at the controlling step the secure communk:atk)n 
service checks whether the sender's tdentifk:atk3n pre- 
ss sented by the sendter is contained in the personalized 
access ticfoat presented t>y Itie sender, and refuses a 
dd'tvery of the emafl when the sender's Uentifcafion 
presented by the sender is not contakied in the person- 
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alized access ticket presented by the sender. 
[0033] Also, in this aspect of the present invention, the 
personalized access licKet sdso contains a valkfity 
period indicating a period tor which the personalized 
access ticket is vafid, and at the controlling step the 
secure communication servk;e checks the validity 
perkxj contained in the personalized access ticket pre- 
sented i7y the sender and refuses a delivery of the email 
when the personalized access licKet presented by the 
sender contains the validity period that has already 
been expired. 

[0034] Also, in this aspect of the present inverrtion. the 
vafidity period of the personalized access ticket is set by 
a trusted thfnd party. 

[(MSI Also, in th^ aspect of the present invention, the 
m^od can further conr^jrise the step of: issuing the 
personalized access to the sender at a directory 
service for managing an id^itrficaiion of each registrant 
and a disck>sed infonmation of each registrant which 
has a bwer secrecy than a personal infonmation. 'm a 
state wNch ^ accessible fbr search by unspedfied 
many, in response to se^ch oonditkyis specified by the 
send^. by u»ng an identiftcatic^ of a regi^rant whose 
disclosed information matches the search corK^itions as 
the rectpierrt's identrficaSon and the send&^s tdentifica- 
t»n specified t>y the sender akmg ^th the search con- 
ditions. 

[0036] Alea in this aspect of the present invention, the 
method can further comprise the step of: registering in 
advance the peisonalized access ticket corrtaining an 
ideniitoalion of a specTic user from which a delivery of 
emails to a spec^tc r^istrant is to be refused as the 
server's ident^tion and an identiricatton of the spe- 
dfk: reg^trant as the recifMenfs identificaticm, at the 
secure commurttcation servk:e; wher^ the controlling 
step the secure commmicatk>n service refuses a ddiv- 
ery of the email from the sender when the personalized 
access ticket presented by the sender is registered 
ther^ in advance at the registering step. 
[0037] Also, in this aspect of the present inventton, the 
method can further comprise tie step of: deleting the 
personalized access ticket registered at the secure 
commimicaton service upon request from the specific 
registrant who reg^ered the persondized access ticket 
at the registering step. 

[0038] Alsa in this aspect of the present invention, the 
personafized access ticket also contains a transfer con- 
trol flag indicating whether or not the sender should be 
authenticated by the secure oommunicatton servtee. 
and at the controtling step, wften the transfer control flag 
corrtained in the personalized access ticket indicates 
that the sender shoukf be authenticated, the secure 
communk^ation service authentk»tes the sender's iden- 
tification presented by the sender and r^ses a delivery 
of the email when an authentication of the sender's 
identifkation fails. 

[0039] Also^ in this aspect of the present invention, the 
aulhenticatton of the sender's ktentiftcation is realized 



by a chalienge/response proceckre between the sender 
and the secure communication service. 
[0040] Aisa in this aspect of me present fnvemk)n, the 
transfer oontrol flag of the personalized access tktet is 

5 set by a trusted third party. 

[0041] Also^ in tNs aspect of the present invention, tfie 
sender's identifk^atkm and the redptenf s kientaicaibn 
in the personalized access ticket can be ^v^ by real 
email adcfresses of the send& and tfie recipient. 

w [0042] Also, in this aspect of tfie present invention, the 
sender's kJentiflcation and the rec^&ifs kjentifk:ation 
01 the personalized access ticket COT be spven 1^ anon- 
ymous klentifk:aiions of the sender and the r6C9>ient, 
where an anonymous identTic ati on of each user con- 

15 tains at le^ one fr^ment of an offcial idenfKk:ation of 
each user fc^ which each user is uniquely identifiable kiy 
a certif toation authority. 

[0043] Alsa in this aspect of the present inv^ion, the 
anonymous idenltfication of each user is an information 

20 containing the at least one frie^mentcltiie oMid^iden- 
tik^lion of each user whk;h is signed t^ the certiTicalSon 
ai#iority using a seaet key of oertifcatkjn ai4hority. 
[0044] Also» in this aspect of tie pres^inventkxi. the 
ofTiciai identifcafion of each user is a character string 

2s uniquely ^signed to each user by the certification 
authority and a put»fic key of each user whk:h are signed 
by a secret k^ of the certification auttiority. 
||004q Alsoi in tiisaspect of the present invention, tie 
method can tother comprise the step of: prdbakOksA- 

so callykfenti^ing an identity Gf the sender by reconstruct- 
ir^ the offnal identifica&on of fhe sender tiy judging 
identity cl a F^ur^ clanoriynraus klei^fk:^^ 
sender oontained «i a pluralify cS personatized access 
tickets (sed by the servHer. 

3£ ||004€] Alsa in ff%s aspect of the present mventioa an 
anonymous id^itiftcation of each user that contains at 
le£^ one fragment of an official identification of each 
user by which each user is i^iquely kientif table t>y a cer- 
t^k^ation authority and a Bnk infomiation of each anony- 

40 mous klentification by whkdi each anonymous 
identification can be un'iquety klentffied can be. defined, 
and tiie sender's identif k:ation and the rec^enfis kienfi- 
fk:ation in the personalized access ticket can be given 
by a Ithk infonmation of the anonymous ktentif k;ation of 

45 tie sender and a link riformation of the anonymous 
identification of the recipient 
[0047] Aisa in tiiis aspect of the present invention, tie 
link information of each anonymous k^ntif ication is an 
Uentif ter unquely assigned to each anonymous klent^i- 

GO cation by the certtf foation autiority. 

[0048] Alsa In tills aspect of the present invention, tie 
metiod can furtfier conprise the st^ of: probabil^* 
cally identifying an Klentity of tiie sender by reconstruct- 
ing the official foentification of tiie sender by judging 

56 Mentity of a plurality of anonynxHJS klentif ications of the 
sender corresponding to the Inik BTformation contained 
. in a i:^uFality of personafized access tickets used by tiie 
sender. 
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[0049] Also, in this aspect of the present invention, the 
personalized access ticket can contain a single sender's 
identirication and a single recqxent^s identification in 1- 
to-1 oorrespondenoe. 

[005Q] Alsa in this aspect of the present invention, the 
personalized access ticket can contain a single sender's 
identification and a plurality of reciptent's identitetions 
in 1'to-N ccxrespondence, where N Is an integer greater 
than 1. 

[0051] Also, in this aspect of the present inv^rtion, 
one identSication among the single sender's identifica' 
tbn and the plurality of redpienfs identifications is a 
holder identification for identifying a hoUer of the per- 
sonalized access ticket wh3e other identifications 
among the single sender^ identification and the plurai- 
fty of redpenfs kientificatkjns are member identifica- 
tions for identifyif^ memt>ers of a ^^oup to which the 
hokler t>ek>ngs. 

[0052] A^ in this aspect of the present invention, the 
method can further comprise the step of: issuing an 
identification of each user and an enabler of the identifi- 
caton of each user indicafbig a right to change tfte per- 
sonalized access tictet containing the identification of 
e^ user as the hokJer identffication, to each user at a 
certification authority, such that prescrtt>ed processing 
on the personalized access tick^ can be carried out at 
a secure processing device ordy by a user wfK> pre* 
sented both the hokler identification contained in the 
personalized access ticket and the enabler correspond- 
ing to the hoUer identification to the secure processing 
device. 

(0Q5Q Also, in this aspect of the present invention, the 
certification authority issues the enabler of the identSi- 
cation of each user as an information indicating that it is 
the enabler and the identification of each user itself 
which are signed by a secret key of the certiTication 
authority. 

[0054] Aisa in this aspect of the present invention, the 
prescribed processing includes a generation of a new 
personalized access ticket a merging of a plurality of 
personalized access tickets, a splitting of one personai- 
ized access ticket into a plurality of personaBzed access 
tickets, a changing of tfie hoWer of the personalized 
access ticket changing of a validity period of the per- 
sonalized access ticket, ar>d a charfging of a transler 
control flag of the personalized access ticket 
[005^ Also, in this aspect of the present invention, a 
special identification and a special enabler oorresporKi- 
ir)g to the special kientification which are known to all 
users can be defined such that the generation of a new 
personalized access ticket and the changing of the 
hokler of the personalized access ticket can be can^ied 
out by tiie holder of ti^ personafized access ticket by 
using the special id&ttification andi ttie special enable' 
without using an enable- of a memt>er identifnation. 
[0056] Alsa in this aspect of the present invention, the 
special id&itification is defined to be capable of being 
used only as the hokter identificaSOT of the personal- 



ized access tick^ 

[0057] Also, in this aspect of the present invention, a 
special identification which is known to aQ users can be 
defined such that a read only attirdxite can be set to the 
s personafized access ticket lousing the spectaldentifi- 
cation. 

[0058] Also, in this aspect of the present inK«rttion. at 
the contnoiltr^ step, when ttie access rig^ of ti)e sender 
with respect to the redpierrt is verified according to the 

iG personafized access ticket the secure oommiKiication 
sennce takes out the recipients klentifk^ation from the 
personalized access tk:ket by u»ng the sender^ identi- 
fication presented fof the sender, converts the mail t)y 
i^ng a taken out rec^enfs identification into a format 

IS ttiat can be interpreted by a mail transfer functk>n for 
actually carrying out a mail deOvery processing, and 
gives the mail aft^ conversk)n to the mail transfer func- 
tion by attacNng the personalized access ticket. 
[0059] According to another aspect of the present 

20 invention there is provk^ed a method of email access 
controt oompnsir^ the steps oft dcfirvng an officid 
rien tif ic a fion of each user by which each user is 
uniquely Klentifiable bf a oertifk3tion aidhority. and an 
anonymous identification of each usee cortairwg at 

2s least one fra gnu a^t of the official tdentdicatic»i; and iden- 
tifying each user by the anoriymous Nd^itificaikm of 
each user in commurticatiore for emalis on a oomnttjni- 
cation network. 

[QOGO] Aisainthisa&pectofthepresentinventioathe 

30 anonymous klenfflicafion of each user Is an iiit oi niaOon 
oontEDning the at least one fnagmenl of tfie oSfkiai iden- 
tification of each user wtM is signed by the certif ication 
authority u^ng a seaet k^ of the certification authority 
[0061] Also, in this aspect dthe present invention. ti>e 

35 official iderrtifica£ion of each user is a c haracter stiing 
uniquely assigned to each user by tfie oertifk»tion 
auttiority and a pubik; key of each user whk^h are signed 
bjf a secret key of the certification authorify. 
[0062] Alsa in this aspect ofthe present invention, the 

^ method can furtiier comprise the steps of: receiving a 
personalized access ticket containing a send^s anony- 
mous id&rtification and a red^errt^ anonymot^ identi- 
fication in conesporKJence, wtuch s presented tjy a 
s&ider who wishes to send an email to a recipient so as 

4S to specify the recipient as an intended destinatkm of ttie 
email, at a secure oonvnunk^ation service connect- 
ing commun«»tions between tiie sender and tfie 
receiver: and controOing accesses between the sender 
arxi tie recipient verifying an access right of the 

50 servler with respect to ttie recipient aocc^tng to the 
personafized access ticket at ttie secure oorranunication 
service. 

[0063] A^. in this asp&d of the present invention, the 
method can furttier comprises the step of: probabilistic 
55 cally identifying an identity of the sender at the secure 
communication servk» t^ reconstructing the official 
identification of the sender whSe judging klentity of a 
plurality of anonymous kientificattons of the sender con- 
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tained in a plurality of personalized access tickets used 
by the sender. 

[0064] Alsot in this aspect of the present invention, the 
defining step can also define a link information of each 
anonymous identification by which each anonymous 
identification can be uniquely identified, and each anon- 
ynr^ous identification can also contain the link intonm- 
tton of each anonymous Identif icatk)n. 
[0065] Alsc^ in this aspect of the present invention, the 
link information of each anonymous identification is an 
identifier uniquely assigned to each anonymous identifi- 
cation by the certif katton authority, 
[0066] Alsa in this aspect of the present ffwention, the 
method can further comprises the steps of: receiving a 
personalized access ticket containing a link infomiation 
of a sender^ anonymous idenmication and a link infor- 
mation of a recipierrt's anonymous identifkation In cor- 
respondence, whkrfi is presented by a sender who 
wishes to send an email to a recipient so as to specify 
the recipient as an Intended destination of the emaH. at 
a secure communkatkm servk» for oonneding oommu- 
racaSions be^fveen the sender and the receiver; and 
oontroOing accesses between the sender and the recip- 
ient by verifying an access ri^ of the sender with 
respect to the recpent according to the persoiaiized 
access ticket at the secure con^unicatfon service. 
[0067] Also, in this aspect of the pres«Ttinv«Ttion, the 
method can further conprises the step ot probaljilisti- 
cally identifying an kJentity of the sender by reconstruct- 
ing the official idenfificalion of the sender wNle judging 
ktentity d apiurality of anon y mous id e nti fi cation s of the 
sender oorresponc&ig to the link information contained 
in a plurality of personalis access tktets used by the 
sender. 

[0068] According to another aspect of the present 
inventton there is provWed a communication system 
realizing email access control, comprising: a communi* 
cation network to which a plurality of user temiinals are 
connected: and a seore communication sendee device 
for connecting communksitfons between the sender and 
the receiver on the oommunicatfon networK by receiv- 
ing a personalized access tickm containing a sender's 
identifkatfon and a redpienfs identificabon in corre- 
spondence, which is presented by a sender who wishes 
to send an email to a reorient so as to spedfy the recip- 
ient as an intended destination of the email, and control- 
ling axesses between the sender and the recipient by 
verifying an access right of the sender with respect to 
the recpient according to the personalized access 
ticket 

[0069] Alsa in this aspect of the present invention, the 

secire communication service device authentk»tes the 
perscHialized access ticket presented by the sender, 
and refuses a delivery of the email when the personal- 
ized access tk:ket presented by the sender has been 
altered. 

[0070] Aisok in this aspect of the present inventfon. the 
system further comprises: a secure processing device 



for Issuing the personalized access tKket wfiich is 
signed by a secret key ol the secure processing devfoe; 
wherein the secure oommunicatfon servk^e devce 
authentteates the personalized access ticket by verffy- 
£ ing a si^iature of the secure processing device kfi the 
personalized access tfokeA using a public k^ of the 
secure processing devk^ 

[0071] Atea HI tt«s aspect of the present invention, the 
secure comnnunrcation service device also receives the 

10 sender^s klentiftcation presented tsy the sender along 
with the personalized access ticket checks whether the 
sender's kf entifk;aifon presented by the sender is con- 
tained in the personalized access IkkeA presented t^y 
the sender, and refuses a d^ivery of the email when the 

IS sender's clentification presented by the sender is not 
contained in flie personafized access txsket presented 
by the sender. 

[0072] Alsa in this aspect of the present invention, the 
personalized access tk:ket also contains a vs^ity 

£0 perkxJ incficating a period for which the personalized 
access tfok^ is vsdki, wd the secure comm u n fc alion 
service devfoe ohecte the valkiity perfod contained in 
the personalized access tcket pesentod by the sender 
and refuses a defivwy of the emafl when the personal- 

2$ tzed access tki«t presented by the sender contains the 
valicfity perfod ttiat has already t>een expired. 
[0073] AisOi in tNs aspect of Ifw present inv^itkxi. the 
syst&n further comprises: a trusted third party for set> 
tsig the validity period of the penuralized access tfoket 

30 10074] Al8ainlhisaepeGtof1hepresentbnveritfon.flie 
Q^stem can further oonprise: a <firectory servfoe devfoe 
for managing an foentif ic a li on of each registrant Sffid 
and a discfosed i n foi n i atio ii of each re^strant wtw:h 
ha& a k^Mer seaecy than a personal information, in a 

3s Stale whfoh is acceesasle for search by unspecified 
mar^, and issinng tfie personalized access ticket to the 
sender in response to search concfitions specified by 
^e sender, by using an identificatfon of a regisbant 
whose disdosed informatfon matches the search condl- 

40 tfons as the recipient's denliffoation and the sender's 
dentiffoation specified by the sender atong with the 
search condrtkms. 

[007^ Also, ff^tl^ aspect of the present invention, the 
secure communication service de^ce can register in 

45 advance the personaPtzed access ticket containing an 
k^entif ication of a specific user from wNch a delivery of 
emails to a specific registrant is to l)e refused as tfie 
senders identif icatfon and an ktenttffoatfon of the spe- 
cific registrant as the redpienfs Uentification, and 

so refuse a delivery of the email from the sender when the 
personalized access ticket presented by the sender is 
registered therein in advarx;e. 
[0076] Alsa in this aspect of the present invention, the 
secure communication service devfoe can delete the 

55 personalized access ticki^ registered therein upon 
request from the spedfic registrant who registered the 
personalized access ticket. 

[0077] Also, in this aspect of the present invention, the 
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p^Bonalized access ticket also contains a transfer con- 
trc^ flag IncBcatlng whether or not the sender should be 
auttienficaied by the secure conrvnunication s^vice, 
and when the transfer oontrol flag contained in the pec- 
sonaRzed access lickBt indicates that the sender should 
be authertticatedp the secure ootrvminlcatian service 
device authenticates the sender's identification pre- 
sented by the sender and refuses a delivery of the email 
when an authentication of the senda^ Idenfificaiion 
fails. 

[OQTq Alsa in ti^ aspect of the pre^nt invention, the 
authentication of the serder^ identification Is realized 
t3y a challen^response procedure between the sender 
arej the secure communication service device. 
[0079] Alsa in thfe aspect of the present invention, the 
system further corrprises a trusted third party lor setting 
the transfer contrcH flag of the personaRzed access 
ticket 

[0080] Alsa in tt^ aspect of the present invention, the 
sender's idenlificafion and the retipienTs identification 
m the personafized access ticket can be given real 
email adcfresses of the sender and the rec^nent 
(0081] Alsa in this aspect of the present invention, the 
system can further comprise: a cerlificalion authority 
device for issUr^ an erionymcAJS identification of each 
user which contains at least one fragment of an officta} 
kjentification of each user t>y which each user is 
uniquely identif iaisie by the certiftcatkin authority device: 
wherein the sender^ identification and the recipienfs 
kientiftcation in the personafized access ticket can be 
given by anonymous kJ e n tifi c at ions of the sender and 
therecQ>i^ 

(0082] Also, inthis aspect of the present inventkxi. the 
anonymous identification of each user is an information 
containing the at least one f rg^ment of the off idai iden- 
tSkatk)n of each user which is s^ned t^ the certification 
authority device using a secret key of the ceniricatk>n 
authority deMoe. 

[0083] Alsa Otitis aspect of the present tnvemkxi. the 
official id&itiftcation erf each user is a character string 
unk^pj^ assigned to each user by the certifk:atton 
authority device and a public key of each us^ which are 
signed t>y a secret key of the cerltfkatian authority 
device. 

[0084] Alsa in tNs aspect of the present invofition, the 
secure commitfBcatton service devk;e can probabSsti- 
cally kjentify an identity of the sender by reconstructing 
the offk^l id^itificatkm of the sender wh3e judging 
identity of a plurality of anonymous identifk:at*or)s of the 
sender contained in a piuraii^ of personalized access 
tickets used by tfie sender. 

[0085] Also, in the aspect of the present inv»ition, the 
system can further comprise: a cerlsficalion authority 
devk:e for issuing an anonymous identification of each 
user whk;h contains at least one fragment of an official 
identification of each user by whk:h each user is 
unk^ely identifiabte by the certification authority device 
and a link mformatkyi of each anonymous ktentification 



by whk:h each anonymajs id^rtffkation c^ t>e 
unk^uety identified; wherein the senders ktentificatxm 
and the recipienfs identificatkxi in the p^sondtzed 
access tick^ can t>e given by a link in*Drmalk)n of the 

5 anonymous ident9icatk)n of the sender and a link in^- 
rration of the anonymous kientif tcatnn of the rec^ent 
[0086] Alsa in this aspect erf the f7esentinvai&}n.^e 
link in ta i na tron of each anonymous tdentiftcafion is an 
ki»ittfier uniquely assigned to each arK>nymous identif i> 

10 cation bpy the cer3k»ik>nautfiarity device. 

[0087] Alsa in this aspect of the present inv^rtion, the 
secure oomrrunkattion servtee devkse can prat>atrflisti- 
cally identify an ^entity of the sender by reconstructing 
the dH\c^ kj&Ttrfkatbn of the sender vvtiSe judging 

75 identityof apkiraBtyof anonymoiffiidentifkatfensofthe 
solder corresponcfing to the link irrformation contained 
in a plurafity of persor^ized access tk:kets used by the 
sender. 

[{0088] Alsa in tliis aspect (rf the present inventksn, the 
20 personaized access ticket can contani a Single sender's 
identifkatkxi and a single tBOfietts ktenfificatkm m 1- 
tO'l ocyfespondenoeL 

10089] Alsa m^is aspect (rf the present ^iventicm^tfie 
personafized access lk:k^ can contain a single sender's 
25 identification and a plurality of reopiafifs kten^kslkxis 
in 1-to-N oonespc^enca wtiere N s an int^er greater 
ttoil. 

[0090] Also, in this aspect of ttie preser^ in^«ntk>n, 
one identiftcatk>n among the stngle sender's kientifica- 

30 tk)n and the piurafity of rec^sioifs ident^talk>ns is a 
tidder ident9k«afion for IdenUfying a fiokter of tfie per** 
sonafizad access tktot wtiile other identifkatksns 
among the sir^ sender^ kte n ltficat k ) n and the plural- 
ity erf recf>ienrs iderrtdk^atiors are member id^itifica- 

35 tions for kientifying members of a group to wtiich tfie 
hoWer be tongs, 

[0091] Alsa in this aspect of the present invention. tr>e 
system can further comprises: a certScaton authority 
device lor issuing to each user an ktentification of each 

40 user and an enabler of the identSicatbn of each user 
incScafing a right to change the personalized access 
ticket containing tf)e kjentification of each user as the 
hokier ktentTication; and a secure processing devrce at 
which presat)ed processing on flie personalized 

45 accesstk;ketcanbecarriedoutontyby a user wtx> pre- 
sented both the hotier dentifcatkvi contained in the 
personafized access ticket and tiie enabler correspond- 
ing to the holder kientif ication to the secure processing 
devk:e. 

so [0092] Also, in this aspect of the present invention, the 
certificatiwi authority devk:e issues the enabler of the 
id e ntification of each user as an inlbrmatton indicafing 
that it is ihe enabler and the kientrfk;atk)n of each user 
itself whk;h are signed by a secret key of the certSication 

55 authority devk^. 

[0093] Alsa in this aspect of the present inventk>n. the 
prescribed processing includes a gei^ratton of a new 
personafized access tkik^. a merging of a plurality of 
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personalized access tickets, a splrtling of one personal- 
ized access ticket into a plurality of personafized access 
tickets, a changing of the holder of the personalized 
access ticket, changing of a valkfity period of the per* 
sonafized access ticket, and a changing of a transfer 
control ftag of the personatized access ticket 
[0094] AIsol in trts aspect of the present invention, a 
special identification and a specta! enatDler correspond- 
ing to the special tdentification which are known to all 
users can t>e defined such that the generatbn of a new 
personalized access ticket and the changing of the 
holder of the perBonatized access ticket can be carried 
out by the hotier of the peisonatized access ticket by 
using the special identrfication and the special enabler 
without using an enabler of a nnember kientification. 
[0095] Also, in this aspect of the present invention, the 
special identification is d^ined to be capable of being 
used ortiy as the holder ktentifkxition of the personal- 
ized access ticket 

[0096] Atsa in this aspect of the pr^ent invention, a 
spedai ktenfifkation wNch is known to all users can be 
defined such that a read only attribute can be set to the 
personafized access tk;ket by using the special ideitfi- 
catiOn. 

[0097] Also, in this aspect of the present invention, 
when the access right of the sender with respect to the 
recipient is verified according to the personalized 
access ticket, the secure oonrvnunicatk>n service device 
lakes (Hit the recipient's identification from the pe^onal- 
ized access tk^ket by using the sender^s kientification 
presented by tiie sender, converts the mail by using a 
taken out recipienftis idenfifkatkin into a format that can 
be interpreted by a maU transfier tbudon for actually 
carrying out a maB delivery processing, and gives the 
fnail after conversion to the mail transfer functfon by 
atteching the personalized access ticket 
[0098] According to another aspect of the present 
inventron there is provided a communication system 
realizffig emaa access control, conpriskig: a certifk»- 
tfon authority device for defirvng an officii identificatfon 
of each user by whk:h each user is urtiquely tdentif iaUe 
by the oertif Icatfon authority device, and an anonymous 
tdentificatk>n of each user which contains at least one 
fragment of the official kientification: and a commitfiica- 
tk>n network on which each user is Wentified by the 
anonymous Identification of each user in communica- 
tions tor emails on the conrmjnication network. 
[0099] AlsOi in this aspect of the present invention, the 
anonymous identification of each user is an information 
containing the at least one fragment of the official iden- 
tification of each user which is signed by the certificatkMi 
authority devfoe using a secret key of the certrffoatfon 
authority device. 

[0100] Alsot in this aspect of the present invention, the 
official identfficatk^n of each user is a character string 
uniquely assigned to each user by the certifkation 
authority device and a public key of each user which are 
signed by a secret key of the certification authority 



device. 

[0101] Also, in tNs aspect of the present invention, the 
system can further oomprises: a secure communfoatton 
service devfoe for connecting oommunkatkms bmween 

5 the sender and the receiver on the oonvnunicatfon net- 
mrk, by receiving a personalized access ticket contain* 
tng a senders anonymcMiS ktentgkatton and a 
rec^enfs anonymous kient9k:atk>n bi correspondence, 
which is presented by a sender who wishes to s^ an 

10 email to a rec^3ient so as to specify the redfuent as an 
kitended desfinatfon of the email, and controlling 
accesses t)^ween the sender and the redpent t^ veri- 
fying an access right of the sender with respect to the 
recipient according to the personalized access tki^ 

IS [0102] Also, in this aspect of the present inventton, the 
secure ccmminksatton service device can prcrtjatxiisii- 
caliy kJentify an kientrty of the sender by reconstructmg 
the offk:ial kientificatk>n of the sender whfle jud^ng 
^entity of a ptura% of amsnymous identifcations of the 

20 sender oontained in a pluiaiily of personalized access 
'Gckets used by tfie sender. 

10103] Alsa in this aspect of Ihe present inventfon. the 
certif icatfon auSvvity devfoe can also define a iBik 
inatkin of each anonymous klentiflcatfon by which «K:h 

25 anonymous ktont^icalion can be uniquely identified, 
and each arKviymous klentiftoafion can also cont^ the 
Bnk informatfon of each arranymous Mentiffoatfon. 
(0104] Also, in this aspect of the present inventkm. the 
fink infomiatian of each anonymous kfenification is an 

so ktentifierurik^jely assigned to eac^anoriymousklen^ 
catton t>y tfie oertificaSon authority devfoe. 
IP109] Also. SI this aspect of the present kiventfon, the 
system can torther compose: a secure conmjracation 
S0vtcedevfoe for oorviQcting oomrnincatfons t>^ween 

35 tie sender and the rec^vs^ on the ccffTviuinfoatfon net- 
work. t3y receiving a personalized access ticket contain- 
ing a Ifok informatfon of a sender's arKytymous 
identificatfon and a link informatfon of a recipienfs 
anonynmis foentificatoi ni corr e sp ond ence, whfoh is 

40 presented by a sender who wishes to send an email to 
a rec^'ient so as to specify the redptent as an intended 
destination of the email, and controlling accesses 
t)etween ttie sender arxj ttie recq^ient by verifying an 
access ri^ of the sender with respect to the recipient 

4S according to the personalized access ticket. 

[01 06] Also, in tNs aspect of the present mventfon, the 
secure communk;ation servfoe device can probabilisti- 
cally identify an foent'ity of the sendm- by reconstructing 
the oflfolal Klenttfication of ttie sender while judging 

so k^lentity of a plurality of link informatfons of anonymous 
identifications of the sender contained in a plurality of 
personalized access tickets used by the send^. 
[0107] According to another aspect of the present 
inventton there is provkled a secure communfcation 

55 service device for use in a communfoatfon system real- 
izing emaa access control, comprising: a computer 
hardware; and a computer software for causing the 
computer hardware to oonnect commurncations 
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between the sender and the receiver, by receiving a per- 
sonalized access ticket contamtng a serKter^s identif ica- 
tion and a recipient's identification in correspondence, 
which is presented by a sender who wishes to send an 
email to a recipient so as to specify the recipient as an 5 
intended destination of the email, and controlling 
accesses between the sender and the recipient by veri- 
fying an access right of the sender with respect to the 
reopient according to the personalized access ticM. 
[0108] in this aspect of the present invention, the 10 
computer software causes the conputer hardware to 
authenticate the personalized access ticket presented 
by the saider, and refuse a defivery of the ennail wfien 
the personafized access ticket presented by the sender 
has been altered. is 
[0109] Alsa in tftis aspect of the present invention, the 
per&onafized access ticket is signed by a secret key of a 
secure proces^g device wt\ich issued the personal- 
ized access ticket, and the computer software causes 
the computer hardware to authenticate the personalized 20 
Bxxesi^ ticket by verifying a si^iature of tfie secure 
processmg devk^e in the personalized access tioket 
using a publk: key of the secure processing devk:a 
[0110] Also, intf^aspectofthe present Bwentkm. the 
computer sctftware causes the computer hardware to 25 
atso receive the sender's klentfksticm presented by the 
serxJer along with the personalized access ticket check 
whetfier the send^^s identificatkjn presented by the 
sender is contained in the personalized access ticket 
presented by the sender, and refuse a delivery of ttie so 
email when the sender's klentif k»tion presented by the 
sender is noA contained in the personafized access 
ticket presented by the sender. 
[0111] Alsa in this aspect of &e present invention, the 
personalized ^ess tk:ket also contains a vaTidity 3s 
period indicating a period tor which the personalized 
access ticket ^ valid. ^ the computer software causes 
the computer hardware to check the validity period con- 
tained in the personalized access tick^ presented by 
the sender and refuse a deitvery of the email when the 4Q 
personalized access ticket presented by the sender 
contains the validity perkxl that has already been 
expired, 

[0112] Alsa in this aspect of the present invention, the 
conputer software can cause the computer hardware to <s 
register in advance the personafized access ticket con- 
taining an identification of a speciftc user from which a 
deiiv^ of emails to a specific registrant is to be refused 
as the sender's identification and an ident^icatton of the 
specific regetram as tfie recpiem*s klentificatlon. at the so 
secure commur^cation service devKe, and refuse a 
ddivery of the emaS from the serxter when the person- 
alized access ticket presented by the sender is reg^- 
tered at tiie secure communication service device In 
advance. ss 
[01 1 3] Also, in this aspect of the present invention, the 
conputer software can cause the oomputer hardware to 
delete the personalized access ticket re^stered at the 



secure communication service device upon request 
from the specSk: registrant who registered the personal- 
ized access tick^ 

[0114] AI&ainlhisaspectof1hepresentinvaTtion.the 
personalzed access tKket also contains a trarisfer con- 
trol flag indicating whetho' ornot the sender shoukJ be 
authenticated t^ the seethe confmmication s&vk^e 
dei^, and when the transfer control fiag contained in 
the personalized access ticket indicates that the sender 
should t>e autherrticated. tfie comfxiter software causes 
the computer handv^e to authenticate the sender's 
Uentification presented by the sender and refuse a 
delivery of the email when an authentication of the 
seer's identff icatitxi foils. 

[0115] Alsa in this ^ped of the present invention, the 
computer software causes the corrputer hardware to 
realize the au^entx;ation of the sender's kl^itiftcation 
a cfiaQeige/response procedure t>etween the smJer 
arvJ the secure communication service device 
[D116] Alsa in this aspect of the present inventioa the 
sender's identificatk)n and the redpierri^ ident gka tfon 
in the personalized access ticket can t)e gn^en ty anon- 
ymous klOTtifcations of the sender and the recpient 
where an anonymous ident gfc atia i cA each user con- 
tains ^ least fragment of an offk:ia) ider^k»tion of 
eac^ user by which each user is uracpi^ identifiable by 
a certif icafion autfiority, and Ifie oorrpUer software can 
also cause ^ conputer hardware to probabSsticaBy 
identify an identify of the sender fay reconstructing ttie 
oCfioal ideittificafion of the servier fay judspng identity of 
a pkffafity of anoriymous identifications of ttie sender 
contained in a plurality of personafized acc es s tickets 
usedbytheseider. 

[0117] Alsa in thfe aspect of the present inwfKtoi, an 
anonymous ident^kation of each user ttiat contains at 
least one fragment of an offkaal identification of each 
userbywfticheachi^erisurtt^ely identifiabie by a cer- 
tification authority and a inforrnation of each anony- 
mous ktenti fi c a tio n by which each arK>nymous 
identifkation can be uraquely ktentTied can bB defined, 
tfie send^s kientification and the rectpient's identifica- 
tion in the persondized access ticket can be given by a 
folk information of ^e anonynrxxis clentrfication of the 
sender and a lirik arformation ol the ar%>nymous kientifi- 
cation of ti)e recpient. and the corputer software can 
ai^ cause the conputer hardware to probabSstk^ly 
identify an tientity of tfie sender by reoonstructir^ the 
official kjentSication of the smler by ^ging klentity of 
a phifalrty of anonymous identificatmns of the sender 
oorresporvfing to tfie lir^ information contained in a plu- 
rality of personalized access tickets used by tfie sexier. 
[0118] Also, in this aspect of the present invention, 
when the access rigfn of ttie sender with respect to the 
reqpient is verified according to tiie personalized 
access ticket, the corrputer software causes the com- 
puter hardware to take out the recpient^ identifk:ation 
from the personalized access ticket by using the 
sendee's klentif ksttoi presented by the sender, convert 
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the mail by using a taker out recqDient's identification 
into a format that can be interpreted by a mail transfer 
function for actually canTing out a mail delivery 
processing, and give the mail after conversion to the 
mail transfer function by attachsig the personalized $ 
access ticket. 

[0119] According to another aspect of the (^-esent 
invention there is provided a secure processing device 
for use in a comnujnication syst»n realizing email 
access control, comprising: a computer hardware; and io 
a computer software for causing the corrputer hardware 
to rec«ve a request for a personalized access ticket 
from a user, and issue a personalized access licKet con- 
taining a sender's identifiGBtion and a recipient's identi- 
fication in correspondence, which is signed by a secret is 
key c4 the secure processing device. 
[0120] According to another aspect of the resent 
invention there is provided a directory service device for 
use in a oomnuinication system realizing email access 
control, comprising: a computer hardware; and a corrv 20 
puter software for causing the oomputer hardware to 
manage an identificalion of each registrant and a dG- 
ctosed infonnation of each registrant which has a lower 
secrecy than a'p^sonal mformation, in a state which is 
accessible for search tiy mispedf ied many, eavi Issue a 2S 
personalized access ticket containing a sender^s identi- 
fk^ation and a recipient's Identification in correspond- 
ence, to the sender in response to search conditions 
specified by the sender, by i^ing an identification of a 
registrant whose <£sck>sed inf6rmatk>n matches the 30 
search ooncfitons as the redpientis identification and 
the sender^ identification specified by the sender along 
witfi the search conditions. 

[0121] According to another aspect of the preserrt 
invention there is provided a certification authority as 
device for use in a communication system realizing 
email access control, comprising: a computer tiardware; 
and a computer software for causing tfie conputer 
hardware to issue to each user an off icied id&itif ication 
of each user by wfuch each user is uniquely identifiable 40 
by the certification authority device, and an anonymous 
ktentificatton of each user which contains at least one 
fragment of the officiai ident^ication. 
[0122] According to another aspect of the present 
invention tha'e is provided a certification authority 45 
device for use in a communication system realizing 
email access control, comprising: a comput^^ hardware; 
and a oomputer software for causing the coirputer 
hardware to issue to each user an identification of each 
user and an enabler of the identification of each user bo 
indicating a right to change any personalized access 
ticket that contains the identification of each user as a 
holder identification, where the persnalized access 
ticket generally contains a sender's identification and a 
plurality of recipient's identifications in correspondence, 55 
and one of the sender's identification and the recipient's 
identificattons is a holder identification. 
[0123] According to another aspect of the present 



inv^ition there is provided a secure processing device 
lor use in a commurvcation sy^em realizing &r\as\ 
access control, comprisffig: a computer hardware; and 
a oomputer software for causing the computer hardware 
to receive from a user a request for prescribed process* 
ffig on a personafized axess ticket oontalr^ng a 
sender's identirtcation and a piurality of recipienTs iden* 
tificaticm in conrespondence. wfiere one of the sender's 
identificatk>n and the reqpient^ identifications is a 
M6er identification, and execute the prescribed 
p(X)cesstng on tiie personalized access ticket when the 
user presented both the holder identification contained 
in the personalized access tiol«et and an enable con'e- 
spondkig to the holder identification which indicates a 
right to change the personalized access tkicet contain- 
ing the identification of the user as the hokter identifka- 
tion. 

[0124] According to another aspect of the present 
invention there is provided a oomputer usable medium 
havir^j computer readable program code means 
ennlMdied therein for causing a computer to ftjnctk)n as 
a secure communication service 6&nce for use in a 
communk:ation ^em realizing email access control, 
the computer readafc^le pro-am code means includes: 
f rst oomputer readable program code means for caus- 
ing said computer to rec^ve a personafized access 
ticket OKitairvng a sender^ identification and a rec^- 
ent's idenSftcafion in correspondence^ wftich is pre- 
sented by a sender who vMShes Id send an email to a 
reqpient so as to specify tfie recipient as an intended 
destination of ttie email; €Hid second oonputer readable 
pixigram code means fix causmg said computer to corn 
trd accesses between ttre sende- and the rec9»erTt by 
verif^ng an access r^ht of tfie sender nwth respect to 
the recpent accoiding to the personalized access 
ticket so as to connect comm u nications between tiie 
sender and the receiver on the communication network, 
pnsssg Also, in this aspect of the present invention, the 
second computer readable program code means 
causes said conputer to authenticate the personalized 
access ticket presented t}y tiie sender, and refuse a 
delivery of the emedt when the personalized access 
ticket presented bjf the s&ider fias been altered, 
[0126] Alsa in this aspect of tiie present invBnti(»i, tiie 
personalized access ticket IS sigpied by a secret key of a 
seciffe processing device which issued tiie p&Bonal- 
ized «3cess ticket and tiie second computer readable 
program code means causes said computer to autiien- 
ticate the personaHzed access ticket by verifying a sig- 
nature of the secure processing device in tiie 
personalized access ticket using a public key of tiie 
secure processing devk^e. 

[01 27] Atea in tiiis aspect of tiie present invention, tiie 
first computer readable program code means causes 
said computer to also receive the sender's identifk:ation 
presented by ttie sender atong witti tiie personalized 
access ticket, and tiie second computer readable pro- 
gram code means causes said computer to check 
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whether the sender^s identaication presented by the 
sender is contained in the personalized access ticket 
presented by the servj^ and refi^ a delivery of the 
emai! wtien the s&xter^ identification presented t3y the 
sender is not contained in the personaRzed access 
ticket presented by the sender. 
[01 28] Alsa in this aspect of the present invention, the 
personalized access ticket also contains a vafidity 
period irxficating a period for which the pwsonalized 
access ticket is vaOd, and the second con^uter reada- 
ble program code means causes said compute to 
check the v^icfity period contained in the personalized 
access ticket presented by the sender arxJ refuse a 
delivery of the email when the personafized access 
tk^ket presented by the serxler c o nt a ins the vaSdrty 
period tfiat has already be&i ex|»red. 
[0129] Alsa in this aspect of the present invention, the 
second computer readable program code means can 
cause said compute- to register in advance the person- 
alized access ticket containing an identification of a spe- 
oHk user from whk^h a defivery of emails to a spedf k; 
regtstrant is to be refused as the sender^ k ten li fi cati o n 
and an identifi c a ti o n of the specific registrant as the 
recipi^^ kientification, at the secure communication 
servce devk». and refuse a deliv^ of the email from 
ttie sender wtien the personalized access ticket pre- 
sented the serxler is registered at the secure com- 
municatkHi servkse device in advance. 
[013Q] Alsoi m this aspect of the present inventkm. the 
second computer readable program code means can 
cause said computer to delete the personalized access 
tKket regi^ered at the secure communkatk>n service 
device upon request from the spedfk; regtstrant who 
registered the pefsortalized access tk:ket. 
[0131] Also, in this aspect of the present invention, the 
personalized access ticket also co nta ins a transfer con- 
trol flag indicating whether or not the sender shouti be 
authenticated tyy the secure communication servk:e 
devk:e, and when the transfer control flag corttained in 
the personalized access tnket indicates that the smier 
shoukl be authenticated, the second oonrputer readable 
program code means causes saki computer to euthen- 
tcate the sender's idta i tifical ion presented by the 
sender and refuse a delivery ctf the emafl when an 
authenticatfon of the senders Id^itificalion fails. 
[01 32] Alsa in t^ aspect of the present invention, the 
second conputer readable program code means 
causes sakJ conputer to realize the authemication of 
ibB sender^ iden^icatkyi by a challenge/response pro- 
cedure between the sender and the secure communna- 
tionsen^devk:e. 

[0133] Alsa in thfe aspect of the pres^ inventk>n, the 
sender's identificatk)n and the recipient's identification 
in the personalized access tick^ can be given by anon- 
ymous rdentEficatkxis of the sender and the redpierrt 
where an anonymous identifcation of each user con- 
tains at least one fragment of an official identrficatk>n of 
each user by which each user is uniquely kientffiable by 



a certrf icatk>n authority, and tfie second computer read- 
able program code means can also cause ssud compu- 
ter to probat)ifisticany kientify an kientity of the serxler 
t^ reconstructing the offkaal ktentiftcatkxi of the sender 

5 t^judgingtientity of a pbirafity of anonymous ktentifica- 
ftons of the sender contained in a plundity of personal- 
ized access tkd(^ used by the sender. 
[0134] Alsa in this aspect of the (resent invenfion. an 
anonymous kJentificatkw of each user that contains at 

10 least one fragment of an offkaal ider^rftcaftkxi of each 
user t3i which each user is unk^eiy identifiak^e by a cer- 
tif k^ation authority and a Gnk information of each anony- 
mous identficafion by wttic^ each anonymous 
identiTication can be urequely ktenfSied can be defined. 

15 the sender's ktontifkation and the recipients Uentifk;a- 
tk)n in the personalized access Most can be given by a 
fink information of the anonymous klentificatk)n of the 
s^er ap6 a link infor m ation of the anonynx)us kientift- 
cation of the recipient, and the second computer reada- 

20 ble program code means can also cause said computer 
to probakdisficafly identify an ktentity of ttie sender by 
reconstructing the ofFksal id&itffica&on of ttie send^ t)y 
judging kientity a pluralily of anonymous \6&t&fKai- 
tionsofthe sender correspoixfirglo ttie fink information 

25 contained in a plurality of personaSzed access tfokets 
used by the sender. 

[0135] Also, in ttiis aspect d the present inverttion. 
wfien the access right ol the serxler wHh respect to the 
reciFNent is voriHed according to €ie peisonafized 

so access tick^ tiie secorxJ computer readable program 
code means causes said computer to take out ttte recip- 
ient's identification from tfie peisonsdind access tidcet 
by using ttie sendees kl&itificafion presented by the 
serxler. oorrvert ttie mat tiy using a taken out recipienrs 

35 ktentificatfon imo a format that can t>e interpreled by a 
ma9 tmnsfier function for actually canying out a mall 
delivery processing, and give the maU after oonveisfon 
to the maa transfer function tyy attadwig the personal- 
ized access ticket 

40 [0136] According to another aspect of tiie present 
invention there is prodded a computer usable medkim 
having computer readme progran code means 
embodied theran for causing a computer to functfon as 
a secure processing davfoe for use in a communkxttion 

45 system realizing email access ocxitnol. the computer 
readable program code means inckides: first conputer 
readatMe program code means for cai£ing sakj compu- 
ter to receive a request for a personalized access ticket 
from a user; arxt secorxl computer readable program 

so code means for causing saki computer to issue the per- 
sonalized access ticket containing a sender's klentifica- 
tion and a recipients Wentification in correspondwwe, 
which IS signed by a secret key of the secure processing 
devKe. 

^ [0137] According to another aspect of the present 
invention there is provkJed a computer usable medum 
having computer readable program code means 
embodied therein for causkig a computer to function as 
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a cSrectory service devicer for use in a communication 
system realizing email access control, the computer 
readable program code means Includes: first conputer 
readable program code means for cai^ng sard compu- 
ter to nnanage an identiHcation of each registrant and a 5 
disclosed information of each registrant which has a 
lower secrecy than a personal information, in a state 
which is accessible for search by unspecified many, and 
second computer readable program code means for 
causing said oonputer to issue a personalized access 10 
ticket containing a sender's identification and a recipi- 
ents iderrtification in correspondence, to the sender in 
response to search conditions specified by the sender, 
by using an identificaton of a registrant whose dis- 
closed information matches the search conditions as 75 
the recipient's identification and the sender's identifiGa- 
tion specified by the sender along with the search con- 
ditions. 

(0138] Aooorcfing to another aspect of the present 
invention there is provided a computer usable medium 20 
having computer readable program code nneans 
embodied therein for causing a computer to function as 
a certtficalion authority device for use in a communica- 
tion system realizing email access control, the computer 
readable program code means includes: first conputer 25 
readable program code means for causing said compu- 
ter to issue to each user an official identification of each 
user t>y wNch each user is uniquely identifetsle by the 
certification authority device; and second computer 
readable program code means for causing said oompu- 30 
ter to tesuelo e^ user an anor^mous identification of 
each user wNch contains at least one fragment of the 
0ITICI6U Ksentiiicaiion. 

[0139] According to another aspect of the present 
invention there is provided a conputer usable medium 35 
f^ng computer readable program code means 
&T^>odied therein for causing a computer to function as 
a cert^icatkm authority device for usb in a conminica- 
tion system realizing email access control, the computer 
readable program code means includes: first computer 40 
readable program code means for causing said compu- 
ter to issue to each user an identification of eaCh user ; 
and second oonpute^ readable pro-am code means 
for causing said computer to issue to each user an ena- 
bler of the identification of each user indicating a right to 45 
charrge any personalized acc^s ticket that contains the 
identification of each user as a holder identification, 
where the persnalized access ticket generally contains 
a sender's identification and a plurality of recpient's 
identifications in correspondence, and one of the 50 
senders identification and the recipients kf entificatlons 
is a holder identification. 

[0140] According to another aspect of the present 
invention there is provided a conputer usable medium 
fiaving computer readable program code means ss 
embodied therein for causing a computer to function as 
a secure processing device f(y ise in a communication 
system reafiztftg email access control, the computer 



readai)le program code means includes: first conputer 
readable program code means for causing said compu- 
ter to receive from a user a request for prescril^ed 
processing on a p&scHialized access ticket contariing a 
senders kf en tificat io n and a pbirality of recptent's iden- 
INicatkxis in correspondence, where one of theserxlers 
identification and ihe recipients identi fi catk ro is a 
holder idenli fi c a twn: and second conp u le i readable 
program code means for causing said computer to exe- 
cute tfie prescr3>ed pixscessing on the personalized 
access tk^ket when the user presented tx3th the holder 
identification contained in the personalized access 
ticket and an enat3)er corresponding to the hokler kien- 
tif icatkxi which indk:ates a fight to change the personal- 
ized access ticket containing the klentification of tiie 
user as the hokier identificatfon. 
[0141 ] Other features and advantages of the present 
invention will t)ecorT>e apparent from the following 
desaptfon taken 01 oonjunction with tfie accompanying 
drawk^, 

BRIEF OESCBIPTION OF THE DFtAWIt^S 
10142] 

Rg. 1 is acfiagram shownng an ov^afl conftguration 
of a communication system according to the fast 
embodimer^ of tfie present invention 
Bg. 2 G a diagram showir^ eoGonplary data struc- 
tures of an official kter ^fi c a fioa an anonymous 
id e n Ufi ca tfo n. arxf a 14d-1 personalized access 
ticket aooording to Ihe fBSt entxidiment of the 
present kivenition 

Fig. 3 is a flow chart for an anonymous identifKaficyi 
gener^kxi processing at a certffication autfiority 
according to ttie first embodknertt of the present 
invention. 

F^ . 4 is a flow chat for a personaHzed access ticket 
generation processing at an anonymous directory 
service according to the first embodiment of the 
pres&it kivttition. 

Fig. 5 Is a ftow chart for a mail access control 

processir^ at a secure oommunication servk;e 
acoording fo the f^st embotiBment of the presem 
invention. 

Rg. 6 is a ffow cfiart for an anonymous identification 
kjentrty >jdgement processing at a secure commu- 
nication servfoe according to tiie first embocfiment 
of the present invention. 

Rg. 7 is a diagram showing exenplary data struc- 
tures of data used in tiie anonymous identiffoation 
foentity judgement processing of Rg. 6. 
Rg. 8 is a diagram showing exerrpiary data struc- 
tures of an official identification, an anonymous 
klentiftcation, and a l-to-N personalized access 
ticket according to tiie second embodffnent of the 
presem invention. 

Rg. 9 is a diagram sho^ng exemplary data struc- 
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lures of an anonymous idenlificaticm and an ena- 
bier aoconding to the second entxxfim^ of the 
present bwention. 

Fig. 10 is a diagram lowing a d^inition of a 

processing rule (MakePAT] used in the second s 

embodiment of the present kivention. 

Fig. 11 is a diagram showing a definition of a 

processing rule (MergePAT) used in the second 

embodiment of the present invention. 

Fig. 12 is a diagram ^x>w{ng a definition c& a io 

processing rule (Spl'rtPAT) used in the secorx! 

embodiment of the present inventioa 

Fig. 13 is a diagram showffig a defsiition of a 

processing rxAe (TransPAl) used in the second 

embodiment of the present invention. is 

Fig. 14 is a tirst exemplary system oonliguration 

that can be used in the second embodiment of the 

preserrt invention. 

Fig. 15 is a second exemplary system confguration 
tfiat can be used in the second embodiment of the 20 
pres&it niv/ention. 

Fig. 16 is a thkd eioemptary system oonriguratk>n 
that can be used in the second embodiment of the 
present invention. 

Fig. 17 is a fourth exempfary system configuration 26 
that can be used in the second embodiment of the 
preswTt invention. 

Rg. 18 is a frfth exemplary system configuration 
tfiat can hB used in tlie seoorvJ embodiment of the 
present inventioa so 
Fig. 19 is a sixth exemplary system configuration 
that can be used in the second embodiment of the 
present trwention. 

Fig. 20 Is a seventh exemplary system configura- 
tion that can be used in the second embodiment of 35 
the pres^ invention. 

Fig. 21 IS a flow chart showing an overall process- 
ing flow of MakePAT, MergePAT or TransPAT 
processing according to the second embodiment of 
the present inventioa 40 
Rg. 22 is a flaw cfiart showing an overall process- 
ing flow of SplitPAT processing according to the 
second embodiment of tfie present irTvention. 
Rg. 23 is a flow chart for an anor^mous id^itifica- 
i\m list gen&ation processing (for MakePAT, 4S 
MergePAT, SplitPAT and TransPAT) according to the 
second embodiment of the presem inventioa 
Fig. 24 is wi enabler authenticity verifk^tkm 
processing (for MakePAT. MergePAT. SplitPAT and 
TransPAT) accofd^ to the second embocfiment of 50 
the pres^ inventioa 

Rg. 25 is a diagram showing an exemplary data 
structure of Null-AID used in the third emfcxx£mem 
of the present inventitwi. 

Rg. 26 is a diagram showing an exemplary data 55 
structure of Enabler of Null-AID used in the tiiird 
embodiment of the present inventton. 
Rg. 27 is a diagram lowing a first exemplary appli- 



cation of the third embodiment of the present inven- 
tk)n. 

Fig. 28 is a diagram showing a second exenptary 
application of the ttwd embodiment of the present 
invention. 

Rg. 29 Is a (fiagram showing an exOTptary ctata 
structure of God-AID used in the fourth entodi- 
menl of the present inventioa 
Rg. ^ b a diagram shearing a first exefT^)iary appli- 
cation of the fourth emboc&nent of the present 
invention. 

Rg. 31 is a diagram shomng a second exemplary 
applicatm of thefoiffth embodiment d the present 
invention. 

Rg. 32 is a flow chart for a member anonymous 
iderrfification checking processing acccmiing Io the 
fifth emtxxfiment of the present invention. 
Fig. 33 Is a diagram sfiowing an overall configura> 
tion of a oonvrunication system according to the 
sixth embocfiment of the present Inventkxi. 
Fig. 34 s a cfiagram showing exemplary data struc* 
tures of an official identification, a Itrdc tnft^iitdUion 
attached anonymous identtficalioa and a link spec- 
ifying 1 -to-1 p^soTBlized access tk:l«^ eocording to 
the sixth embotSment of tfie present invention. 
Rg. 35 is a flow diart for a fink information attached 
anonymous identificatkxi generation processing at 
a certification auttvjrity aocon£ng to ttie sixth 
emkxxlimeni of tfie present ffA/entioa 
Rg. 36 is a ftow chart for a fink specifying 1-to-i 
persQ^afcced access ^cket genevaiton processing 
at an anonj^nous <fr6clory service aoocMifing to flie 
sixth embocfim&d of the present invenfion. 
Fig. 37 is a flow cfiart lor a maU access control 
processing at a secure Gommunicati<Ki service 
according to the sixth emtxxfrnent of flie present 
invenUon. 

Rg. 38 is a flow chart for an anonymous kJentiTica- 
tion identity judgement processing at a secure conr>- 
munication senrioe according to the sixtti 
embodiment of ttie present invention. 
Rg. 39 is a diagram showing eo^nplary data struc- 
tures of data used in the anonymtxs identSicaikm 
identity judgemerrt processing of Fig. 38. 
Rg. 40 is a (^gram shewing eocenplary data struc- 
tires of an official identirication, a fink inlormatk)n 
attadied anonymous identification, and a link spec- 
ifying 1-to-N personalized access ticket according 
to the seventh iHidxxiffnent of ttie present irwen- 
tion. 

Rg. 41 is a diagram shewing exemplary data staic- 
tures of a link information attached arx)nymous 
identirication and an er^t>ler according to the sev> 
enth embodiment of the present inventk>n. 
Rg. 42 is a first exemplary system configuratk>n 
that can be used in the seventh embodim&rt of the 
present invention. 

Rg. 43 s a second exemplary system conf iguratksn 
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that can be used in the sef&nilh embodiment of the 
present invention. 

Fig. 44 is a third exemplary system configuration 
that can be used in the seventh embodiment of the 
present invention. 5 
Rg. 45 is a fourth &OBmpl^ system configuration 
thai can be used In the seventh embodiment of the 
present invention. 

Rg. 46 is a fifth exemplary system configuration 
that can be used in the se/enth errt>odiment of the io 
present invention. 

Rg, 47 is a sixth exemplary system configuration 
tliat can be used in the sev&ith embodiment of the 
present invention. 

Rg. 48 is a seventh exemf^ry system configura- is 
tion that can be used in the seventh emtxxTiment of 
the present invention. 

Rg. 49 is a flow c^rt for a link specifying anony- 
mous identificalion ii^ generation processing (for 
MakePAT. MergePAT, SplitPAT and TransPAT) 20 
according to the seventh emixxfiment of the 
present invention. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 25 

[0143] Refening now to Fig. 1 to Rg. 7, the first 
embodknent of the email access control scheme 
accor<Sng to the present invention ml\ be descrft>ed In 
detail 30 
(0144] TTie email access control scheme of the 
preser^ invention enables bidiredional communications 
betwe^ a sender and a recipient appropriately wMe 
maintaining aronymity of a sender and a recipient on a 
conrnmication network. Basically, this is realized by 3S 
disclostng only information indicative of characteristics 
of recqaients in a state of concealing true identifiers of 
the recqpients, and assignir^ limited access r^hts with 
respect to those who wish to cany out conmjnications 
while maintainhg the anonymity according to the cfis- 40 
closed informatioa 

[0145] More specifically, an Anonymous ldentricatk)n 
(afat)reviated hereafter as AID) that functions as a role 
Identifier in which a personal information is concealed is 
assign^ to a user, and this AID is disclosed on the net- 45 
work in combination with an information indicative of 
character^'cs of the user such as tiis^er imereste. 
age. job. etc., which cannot be used in identifying the 
user on the network but vifhich can be useful for a 
sender In judging whether ornot it is worth communicat' bo 
ing with that user. 

(0146] Also, the sender can search out a recipient with 
whom he/^e wishes to communicate by reading or 
searching through the disclosed information. Namely, in 
the case where the sender wishes to conmunicate with ss 
a recipient while maintaining his/her own anonymity, the 
sender specHies the AID of that recipient and acquires a 
Personalized Access Ticket (abbreviated hereafter as 



RAT). The PAT contains the AIDs of the soider and the 
rec^'ent as well as infonmatkxi regar^ng a transfer con- 
trol flag and a vati(£ty penod. The transfer control flag is 
used in order to deternrttne whether a Secure Comrnt^i- 
cation Service (abbreviated hereafter as SOS) to be 
described bekm carries out the authemkatk)n with 
reaped to the sender. Namely, when the transfer control 
flag is se^ 0N« the SCSwai carry out the authentKation 
such as signature verification for example, with respect 
to the sexier at a time of the connection request On the 
other hand, when the transfer o^itrol f te^ Is set OFF, the 
SCS will give the connection request to a physical com- 
municatkm network to wtvch the SCS is connected, 
without carrying out the authenticatkm. In other words, 
the transfs- contrd is used in otderto verify whether or 
rwt the AID is properly utilized tjy the user to whom it is 
aHocated by a Certification Authority (abbreviated here- 
after as OA). 

[0147] in the oonminkation network reafizing tie 
email access control scheme of the present invention, 
the assignment ol AtDs with respect to users, the main- 
tenance of inibi iii ation disctosed in comtxnation with 
AIDS, the issuance of PATs. and the anail access con- 
trol based on PATs are realized by separate organiza- 
tk>ns. This is because it is more ccvivenient to realize 
th»m by separate organizatk>ns from a perspecSve of 
nmitaining ttie seoffity of the entire n^work. since 
security levels to tae n^ntmed in relatkMi to respective 
actk>ns are t&t&retti ivtote however that the msunte- 
nance of the disctosed t ntbm ia tfon and the issuance of 
RKTs maqr be reafized by the same organizatkia 
{0140] R0.1show6anaweraiOGnfiouralionofacorn- 
murncafton system In this first emixxfiment. which is 
directed to the emaa service on Internet or Intrant 
[0149] fai F^. 1, the CA (Certification Authorit)^ 1 has 
a right to authenticate an Official Identificalion (abbrevi< 
ated hereafter as OID} that identifies each individual 
and a right to ^sue AIDs, and functions to generate 
AIDS from OlDs and allocate AIDs to users 3. 
10150] The SCS (Secure Commurucation Sen/ice) 5 
judges wlielher or not to admit a coiviection in response 
to a connection request by an email ti-om a user 3, 
acceding to the PAT (Personalized Access Ttcket) pre- 
sented from a u$er3. The SCS 5 also rejects a connec- 
tion request by an email according to a request from a 
user 3. The SCS 5 also judges the identity of OlDs 
according to a request trom a us^ 3. 
(01 51] An Anonymous Directory Service (abt)reviated 
hereafter as ADS) 7 is a database for managing the 
AID. the tiansfer control flag value, the validity period 
value, and the disclosed information (such as Interests, 
which can be regarded as requiring a lower secrecy 
compared with a personal information such as name, 
telephone number, and real email address) of each user 
3. The ADS 7 has a function to generate the PAT from 
the AID of a user 3 who presented search conditions, 
the AID of a user 3 who has been registering the dis- 
closed Information that matches the search conditions 



IS 



29 



EP 0 946 022 A2 



30 



in the ADS 7. the transfer control flag vaJ ue given from a 
user 3 or ad minis tr ato r s of the ADS, and the vaSdity 
penod value ^ven from a user 3 or administrators of the 
ADS. and then allocate tf>e PAT to a user 3 who pre- 
sented the search corxlitions. 5 
[0152] First, a series of processing from generating 
the AID from the OlD according to a request from a user 
until allocating the AID to that user wiD be descra:>ed. 
[0153] Fig. 2 shows exenplary formats of ttre OlD. the 
AID. and the PAT. As shown in a part (a) of Rg. 2, the 10 
OlD is an infonmation comprsing an artjjtrary character 
string according to a rule by which the CA 1 can 
uniquely identify the user and a putslic key, which is 
signed by the CA1 using a secret key of the CAI. 
[0154] Also, as shown in a part (t)) of Fig. 2, the AID is is 
an information comprising fragnr>ent& of the OlD and 
their position information, redundant diaracter strings, 
and an SCS information gpvKi by an artwtrary character 
string (host name, real danain name, ^c.) by which a 
host or a domain that is operating the SCS 5 can be 20 
unic^ely identified on the networK which is signed by 
the CA 1 using the seaet key of Ifie CA 1. 
[0153 Also, as shown in a part (c) of Fig. 2. the RAT is 
CU1 informalion oompnsxng tfie transfer control flag, 
AID|]. AID^. sffid the validity period, wtcch is signed t^ 2S 
the ADS 7 using a secret key of the ADS 7. Here, the 
transfer control flag value is defined to take either 0 or T 
Ateo. the validity period is defined by any one or combh 
natfon of the number of times for which t\e PAT is avail- 
able, the absolute time (ITTC) by whfoh the RKT 30 
becomes unavailat)le, the absolute time (UTC) by wfich 
the PAT becomes avaBable, and the relative time (life- 
time) since the PAT becomes avaB^e until it t>eoonies 
unavailabla 

[0156] Note that as will be explained in the sitee- ss 
quent enixxliments descra)ed below, in addition to the 
1-to-1 PAT which sets one sender and one rec^went in 
conresporKjer)ce as desabed at)Ove. the present inven- 
tfon can also use a 1-to-N PAT wtich sets one sender 
and N reagents, as weQ as a link specifying PAT wfM 40 
specifies the AID bf a link information that is capable of 
specifying the AID instead of specifying the AID itseH in 
the PAT. The link specifying PAT can be either a link 
specifying 1-to-1 PAT or a link specifying 1-to-N PAT 
d^>ending on the corre^sondencerelatioriship between 4S 
the sender and the recipients as descrft)ed above. 
IMamely, the PAT of the present irrvention can be given in 
tour types: 1-to-1 PAT, 1-to-N PAT. link specifying 1-to-1 
PAT, and link specifying 1-to-N RWT. 
[0157] Next a procedure by wNch the user 3 requests so 
the AID to the CA 1 will be descrbed. The user 3 g&ier- 
ates a pair of a secret k^ ani a public key. Then, the 
user 3 and the CA 1 carries out the tncSrectiaiat authen- 
ticatfon using the OlD of the user 3 and the c^icate of 
the CA 1 , and the user 3 transmits the public key to the 55 
CA 1 by ait>ftrary means. Here, ttiere can be cases 
where conrnmications t>etween the user 3 and the CA 
1 are to be &icrypted. 



[0158] Next, a procediffe by which the CAI issues the 
AID to the us9 3 Di response to a request for the AID as 
descrflt)ed a^boMe will be descrfoed. Upon receiving the 
pubyc key from the user 3. the CA 1 generates the AID. 
Thea the CA 1 transmits the AID to the user 3 by artx- 
trary means. Upon receiving the AID from the CA 1 . the 
user 3 stores the received AID into its storage device. 
Here, there can b& cases where communncations 
between the user 3 and the CA 1 are to be encrypted. 
[0159] Head, the AID generation processing at the CA 
will be desai>ed with ref^efKe to Ftg. 3. 
[0160] In the procedure of Fig. 3. tfie CA 1 generates 
an iiikxinatfon of a iengtti equ^ to ttie total length L of 
the OlD. and sets ttiis informatfon as a tentative AID 
(step S91 1), Thea in order to carry out 0ie par^ cop- 
ying of the OID, values of parameters pj arxf ii for spec- 
ifying a copying region are detenmied using a&Amy 
means such as random number gen&ation respectively 
(stepS913}. H^e. Lis ec^l to the total length L of the 
OlD. and /j is an ait»trarily defffied value witfiin a range 
ffi whKh a relatfonshp of 0 ^ ^ ^ L hoUs. Ihen. an frifor- 
iTiation in a range t xrtwoo n a position ft to a position pi 
+ from the top ol the OID is copM to the same posi- 
tiors in tf» tentative AID (step $915i). In o&ter woids. 
tf^ OID fragment will be copies to a range tsetween a 
pos^ Pi and a positfon pj + /j from the top of tie ten- 
tative AID. Then, ttie values of p{ and /| are written into a 
prescrdwd rarige in 1t)e tentative AID into wfitch tfie OID 
has been parteHy copied, in a form encrypted by an 
ait)ftrBry means fslep S917). Ibea an SCS h ifo inulfo ii 
given by an artxfrary character strins (host name^ real 
domain, etc.) that can unqueiy identify a host or a 
domain "mat is operabig the SCS 5 on the network is 
written irdo a prescinded range in tfie tettative AID oito 
whkt) these values are wrdten (step S919). Ihea the 
tentative AID into wfiich ttie cdbove cfiafacler string is 
written is signed usir^ a secret key of tie CA 1 (step 
S921), 

l!0161] Next, a procedure for revering the AID of a 
user-B 3 Bnd fne cfisctosed infoi inatfoii vtto tie ADS 7 
will be descrbed. First, the kMcfirecfional authenticafion 
by arbdrary means usfrtg the M) of the user-B 3 and the 
oertincate of tfie ADS 7 is canted out t)^we&i the user- 
B 3 wfK> isa re^tr^ and the ADS 7. Then, tie user-B 
3 transmits the transfer control flag value, tfie vafidity 
period value, and the disclosed informafon such as 
BTterests to the ADS 7. Tfien. the ADS 7 stores tie 
transfer control flag value, the validity period value, and 
tfie entire cfisctosed infornBtkxi in relatfon to tfie AID of 
tie user-B 3 in its storage devica Here, tiere can be 
cases where oomnvnicallons between tie user-B 3 
wfio is the registrant arxf the ADS7aretot)e encrypted. 
[0162] Next a procedure t^y which a usa^-A 3 
searches through the disclosed information that is reg- 
istered in the ADS 7 will be described. First, tfie bidirec- 
tional authentication t>y artsitrary means using the AID of 
the user-A 3 and the c^icate of tie ADS 7 is carried 
out between the user-A 3 wfio is a searcfier and tie 
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ADS 7. Then, the teer-A 3 transmits artwtrary search 
conditions to the ADS 7. Then, the ADS 7 presents al) 
the received search conditions to its storage device, and 
extracts the AID of a registrant which satisfies Ih^e 
search conditions. Then, the ADS 7 generates the RAT s 
from the AID of the user-A 3. the AID of the registnvit 
who satisfied all the search conditions, the transfer oon- 
trol flag >alue. and the validity period value. Then, the 
ADS 7 transmits the generated PAT to the user-A 3. 
Here, there can be cases where oommunjcations w 
between the user-A 3 who is a searcher and the ADS 7 
are to be encrypted hJote that the 1-to-1 PAT is gener- 
ated as a search result of the ADS 7. 
[0163] Next, the l-to-1 PAT generation processing at 
the ADS 7 w9l be descrit>ed with reference to Fig. 4. is 
[0164] Rrst an infornr^atbn of a prescribed length is 
generated, and this inf6rmati<»i is set as a tentative PAT 
(step S1210). Then, the AID of the vser-A 3 who is a 
searcher and the AID ctf the user-B 3 who is a registrant 
are copied into a prescribed region of the tentative PAT 20 
(step S1215). Tfien, the transfer control flag v^ue and 
the valicfity period value are written into respective pre- 
scribed regiois of the tentative RAT into which the AIDs 
are copied (step Si 2 17). Then, the tentative PAT Into 
which these values are written is signed using a secret 2S 

o4 the ADS 7 (step Si 219). 
[0165] Next, the transfer control using the 1 -to-1 RAT 
will be descrtt>ed. The transfer control is a function for 
limitir^ accesses to a user who has a proper access 
right from a third person to whom tlie PAT has been so 
transferred or who has eavesdropped the PAT (a user 
who originally does not have the access right). 
[0166] The ADS 7 and the user-B 3 of the registrant 
AID can prohibit a oonnectk»i to the user-B 3 from a 
third person who does not hcR^ the access right by set- 3s 
tmg a certain value in to the transfer control flag of the 
PAT 

[01 67] When the transfer control flag value is set to be 
1 , the seer's AID is authenticated between tfie SOS 5 
and the sender according to an arbitrary chal- 40 
lenge/iresponse process, so that even if the sender 
gives both the sender^s AID and the PAT to another user 
other than the sender, that another user will not be able 
to mate a connection to the registrant of the ADS 7 
through theses 5. 45 
[0168] On the other hand, wh^ the transf^ corrtrol 
flag value is set to be 0. no diaiienge/response process 
wifl be carried out between the SOS 5 and the sender, 
so that if the sender ^ves both tfie sender's AID and the 
PAT to another user other than the sender, that another so 
user vtrill also be able to make a connection to the regis- 
trant of the ADS 7 through the SCS 5. 
[0169] Next the email access control method at the 
SCS 5 will be descrtoed with reference to Rg. 5, 
[0170] The sender specifies Isender's AID}@[real ss 
domain of SCS of sender}** in From: line, and 
''PAT]@[real donriain of SCS of sender]" in To: line. 
[0171 ] The SCS 5 acquires a mail received by an MTA 



(Message Transfer Agent) such as SMTP (Simple Mail 
Transfer Protocol), and executes the processing of Fig. 
5 as follows. 

(1) The signature of the PAT is verified using a put>- 
lic key of the ADS 7 (step S1413). 

When the PAT is found to have been altered 
(step S1415 YES), the mail is discarded and the 
processing is teonr^ed (step SI 41 6). 

When the PAT is found to have been not altered 
(step S1415 N0)« the fofiowing processing (2) is 
executed. 

(2) The search is canled out by presenting the 
senders AID to the PAT [steps S1417. S1419. 
S1421), 

When an AID tt^ ccmiplet^y matches with the 
sender's AID is not contained in the PAT (step 
Sl42d NO), the mail G d^rded end the process- 
flng is terminated (step SI 41 6). 

When an M) that oomptetel y matches with the 
serxier's AID is contained ki the RAT (step S1423 
YE^, the tonowing processing (3) is executed. 

(3) The validity period value of the PAT is eveduated 
(steps S1425,S1427). 

When the RAT is outside the validity period 
(step S1427 NO), the mafl is decarded and the 
processing is terminated (step S1416). 

When me RAT is within the vafidity period (step 
S1427 YES), the foUowing proces^ng (4) Is exe- 

(4) Wh^fier or not to aut h enficate the sender is 
determined by referring to tfie translBr control flag 
value of the PAT (steps S1431. S1433). 

V\men «ie vedue is 1 (step S1433 YES), the 
chalengeAresponse authentication bebwe^ the 
SCS 5 and the sender is cffiTied out and the sigra> 
ture of the sender is verified (step SI 435). When 
the signature is valid, the recipient is specified and 
the PAT is attached (step S1437), When the signa- 
ture is invalid, the mail is cfiscarded and the 
processing is termtrrated (step S1416). 

When the value is 0 (step S1433 NO), the 
recipient is spedM and the f%T is attached with- 
out executing the chaOenge/response authemica- 
tion(stepS1437). 

[0172] Next an exentplary chaliengefresponse 
authentication between the SCS 5 and the smier will 
k>e described. 

[0173] Rrst. the SCS 5 generates an arbitrary infbr* 
mation such as a timestamp, for example, and transmits 
the g^erated inf(ymation to the sender. 
[0174] Then, the sender signs the received infbrma- 
tion using a secret key of tfie sender's AID and transmits 
it along with a puWic key of the sender's AID. 
[0175] The SCS 5 then verifies the signature of the 
received intormation using the public key of the sender's 
AID. When the signattre is valid, the recipient Is sped- 
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fied and the PAT is attached. When the signature is 
invaikj. the maS is discatded and the processing ts ter- 
minated. 

[0176] Next, a method for specifying the rectpiefit at 
theses 5 will be descril)ed.Pffst. theses 5 carries out s 
the search try presenting the sender's AID to the PAX so 
as to acquire all the AIDs which do not oompieteiy 
match the send&'s AID. All these acquired AiOs will be 
defined as recipient's AIDs h&^^er. Then, for every 
recipient's AID. the real don^ of SCS of recipient is io 
taken out from the recipient's AID. Then, the recipient is 
specified in a format of "(recipient's AID]<^[real domain 
of SCS of ^ecip^e^q^ Finally, the SCS 5 chaises the 
sender from a format of tsender's AID]^real domain 
of SCS of senderf to a format of "sender's AID". 75 
[0177] Next, a method for attaching the PAT at the 
SCS 5 will be desert. The SCS 5 attaches the PAT to 
an artNtrary portion in the ma8. The SCS 5 gives the 
mail to the MTA after specifying the sender and the 
recipient and attaching the PAT. 20 
[0178] Note that alJ the processings descrfoed above 
are the same in the case of ttie 1-to-N PAT. 
[0179] Next a method of receiving refusal witfi 
respecttothe PAT at the SCS 5 will be descfised. 
[0180] Recerving refusal setting: Jhs txdirectonal 2S 
authentication is carried out by an art^itrary means 
t^^ween ttie user and the SCS 5. Then, the user trans- 
mits a re^ration command, his/her own AID. and arbi- 
trary PATs tothe SCS 5. Then, the SCS 5 verifies the 
signature off the received AID. H the signature is invalid, 30 
ttie processing of tfie SCS 5 is terminated. Ifthesigna- 
tire is valid, the SCS 5 next verifies the signature of 
each received PAT using apubSc k^of the ADS. Those 
PATs with ttie invafid sigrrati^e are d^cafded by the 
SCS 5. When the signature is va6d, the SCS 5 carries 55 
out the search by presenting the received AID to each 
PAT. For each of those PATs which contain the AID that 
completely matches with the received AID. the SCS 5 
presents the registratfon oonvnand and the PAT to the 
storage device such that the PAT is registered into the 40 
storage device. Those PATs which do not contain the 
AID that completely niches with the received AID are 
discarded by the SCS 5 without storing them into the 
storage device. Here, there can t>e cases where com- 
munications between the user and the SCS 5 are to be 45 
encrypted. 

[0181] Recei>nng refusal execution: The SCS 5 carries 
out the search by presenting the PAT to the storage 
device. Wien a RAT that completely matches the pre- 
sented PAT is registered in the storage device, the mail so 
is discarded. WTien a PAT that completely matches the 
present PAT is not registered in the storage device, the 
mail is mt tfiscaided. 

[0182] Receiving refusal cancellation: The bidirec- 
tional authentication is carried out by an art)itrary s$ 
means between the user and the SCS 5. Then, the user 
presents his/her own AID to the SCS 5. Then, the SCS 
5 verifies the signature of the received AID. ff the signa- 



tire is ir^id. the proces^ng of the SCS 5 is tenni- 
nated. If ttie signature is valid, the SCS 5 next presertts 
the presented AID as a search concfitfon to the storage 
devne and aoqure aB the PATs that contain the pre- 
sented AID. and then presents alt the acquired PATs to 
the user. Then, the user selects ^ the PATs for whfoh 
the receiving refusal is to t)e cancelled by refening to ^1 
the PATs presented from the SCS 5. arxj trar^mits ^1 
the selected PATs along with a deletion command to the 
SCS 5. Upon receiving the deletion oonrvnaid and all 
the PATs for wtiich the receiving refusal is to be can* 
celled, the SCS 5 presents the deltiion command and 
all ttie PATs received from the user to the storage 
device, such that aB the received PATs are deleted from 
the ston^e device. 

[0183] Note that the method of receiving refusal with 
respect to ^e i-to-N PAT at the SCS 5 is the same as 
the method of recdvir^rehsal with respect to the l-to- 
1 PAT described abova 

{0184] Noto also the the case of returning of a mal 
from the user-e to the user- A is the same as in the case 
of ti ai T Si ni t lii ig a meal from the user- A to the user-R 
[0185] Next, the {udgem^ of identity wiB be 
descra>ed with reference to Fig. 6 and Fig. 7. 

(1) An initial value of a triable 01D|^ is defined as 
a t}it sequence witi a length equal to the total length 
L of the OlD aid all values equed to "0". Also, an irn- 
tal ^olue of a variable 010^ is defined as a bit 
sequence with a length equal to ttie total length of 
the OtD and an vadues equal to D" (step S251 1 ). 
(2} One AID G selected fnOT a set of processing tar- 
get AlDSw and ffieiitfowing bit processing is carried 
out (step S2S13}. 

(a) Values of varebtes AIDf^i and AiD^ are 
determined accofding to the position mforma- 
ffon cont ain ed in tfie AID (step S251S}. Here. 
AIDm is defffied as a bit sequence with a length 
equal to the total length L of the OID and a 
value of a position at wfiich the OID information 
is defined is "1" wtiile a value of a position at 
wNch ttfe 010 information is not delinad is t)" 
(see Rg. 7), Also. AID^ is defined as a t>it 
sequence «nth a l&igth equal to the total length 
L of ttie OID and a value of a posrtfon at which 
the OID information is defined is an actual 
value of the OID information while a value of a 
position at wfvch the OID irrfbrmation is not 
defined is 0 (see Fq. 7). 

(b) AND pnx^ng of OID^ and AID^ is car- 
ried out and its result is subs^^ed into a varia- 
ble OVR^ (step S2517). 

(c) AND processing of OVRm sl^ AID^ as well 
as AND processing of OVR^ and 01D|^ are 
carried out and thar results are compared 
(st^ S2519}. When they coincide. OR 
processing of OID^ and AID^ is canted out 
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and its resdt is substituted into 010^ (step 
S2521), while OR processing of OICV and AIDy 
is also carried out and its result is sutTStituted 
into OIDm (step S2523). On the other hand, 
when they do not coincide, the processing pro- 5 
ceeds to the step 82525. 

(d) An AID to t>e processed next is selected 
from a set of processing target AiDs. When at 
le^ one anotha- AID is contaned in the set 
the steps S251 3 to S2523 are executed for that 10 
another AID. Wh^ no other AID is contained in 
the set the processing proceeds to the step 
S2527. 

(e) Values of OID^ and OID^ are outputted 
(step S2527). 75 

(0186] The value of OIDm that is eventually obtained 
indicates all positions of the OiD information that can be 
recovered from the seA of processing target AIDs. Ateo, 
the value of OlDy^ tfiat is eventually obtained indicates 20 
all the OiD infiorfnation that can be recovered from the 
set of processing target AID In other words, by using 
the values of OIDm and 0(Dv( it is possible to obtain the 
OID albeit probablSsticaliy when the value of OlDv is 
used as a search condition. arKi K is possit>le to quanti- 2S 
tatively evaluate a precision of the above search by a 
ratio OIDm/L vwth respect to the total length L of the OiD. 
[0187] As descrbed above. In this first mitxxiiment 
the OA 1 which is a Third Party with high 

secrecy and credibility generates the AID in which the so 
personal inlormation is oonceaied. from the OID that 
contains the h^hfy secret personal information such as 
name, t^ephone nunber« real ermtf address, etc.. 
acccrxiing to a usa- request and issues the AID to the 
usw. By identifying the user by this AID on the oonwiu- as 
nication network as well as in various services provided 
on the communication network, it becomes poss^e to 
provide both the anonymity guarantee and the iden^y 
guarantee for the user. In (^er words, it becomes pos- 
sSste for the user to communicate with another user 40 
without revealing the own real name, telephone number, 
email address, eta. to that another user, and it also 
becomes possible to (£sciose the disclosed information 
to unspecined many tfirough the ADS 7 as will be 
desaibed below. as 
C0188] The user registers the disclosed inforn^on. 
that is an information which is supposed to have a low 
secrecy compared with the personal information at the 
ADS 7. In the case of searching the disdosed informa- 
tion and the registrant AID, the searcher presents the so 
AID of the searcher and art>itrary search conditions to 
the ADS 7. The ADS 7 then exfracts the regisfrant AID 
that satisfies these search conditions, and generates 
the PAT from the AID of the searcher and the AID of the 
registrant who satisfied the search conditions, the trans- ss 
fer confrol flag value, and the validity period valua 
[0189] In this 1 >to-1 PAT the fransfer control flag value 
and the valicfity period value are set as shown a part (c) 



of Fig. 2. arxl t)y setting up this validity period in 
adwance. it is possible to linvt connections from ttie 
sender. 

[0190] His also possUe to prohfoitconnecfions from 
a third person who does not have the access right 1^ 
using the transfer control flag value. Namely, when ttie 
transfer control flag value ^ set to be 1. the sender^ 
AID is authentkated between the SOS 5 and the sender 
according to an arbitrary chaHengeA'esponse process, 
so that even if the sender gives both the sender's AID 
and the PAT to another user other tfan the sender, that 
another user will not be able to make a connection to 
the registrant of the ADS 7 through the SOS 5. On the 
other hand, when the transfer control flag value is sei to 
be 0. no challenge/^esponse process wBI be earned out 
t)elweenthe SCSSandthesender. sotiiat if the sender 
gives both the sender's AID and the PAT to another user 
other than the sender, that anoti^ user wdU also be able 
to make a connectkin to the registrant of tfie ADS 7 
tirough theses 5. 

[0191] ft is also possiite to make a connectkm request 
to ttie communk^fion network such that a call for wtvch 
the reopient is specified by the 1-to-1 PAT will be 
received by the redpi^s AID or the sender^ AID 
defined withtn the PAT In adcfitton. it is also possitsle to 
refuse receivir^ calls with the 14o-1 PAT selected t)y 
the rec^xent among calls whk^ are spectfied tiy the 1- 
to-1 PAT tt is ^80 possit3le to cancel the receiving 
refuse at the calls with tie 1-to-1 RAT selected ly fie 
recfpiem. In ackfifion, as a measure against Hie sender 
who repeats 0ie personsd attach using a plurajily of 
s&idef's AIDs by taknxi an advantage of the anofiymity 
it is poesfole to Midge me tientity of the Ofl> from these 
pkvality of sender's AIDS arvl ispossiUe to extract that 
OID at some probabi&ty. 

[0192] Next with referenoes to Ftg. 8 to Fig. 24. the 
second emboc&ment of the email aocess control 
scheme according to the present inventfon wiO be 
desert in detatf. 

Ph9q In contrast to the first embodiment deserted 
akx>ve whk:h is directed to the case where a sender and 
a recipient are set in 1 -to- 1 correspondence, this sec- 
oTYj errbodment is directed to the case wtiere a sender 
and recipients are set in vto-N con-espondence and a 
generation of a new PAT and a content change of the 
existing PAT can be nrmde by the initiative of a user. 
Here, the sender is «ther a holder of the PAT or a mem- 
ber of the PAT. Similaily, the recipient is either a hokier 
of the RATT or a member of the PAT 
[01 94] In general, a membership of a group communi- 
cation (mailing list etc.) is changing dynanr^catly so that 
it Is necessary for a host of the group oommunicatfon to 
manage information on a point of contact such as tele- 
phone rwHiber, email address, etc., of each member, in 
contrast, in the case where it is only possible to newly 
generate a 1*to-1 PAT as in the first embocSment the 
management of a point of contact is difffoult. For exam- 
ple, it is dHffouit to manage the groi^D collectively, and 
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evai H it is given to the others for the purpose of the 
transfer cornroi. h ck>es rK>t fiHictk>n as an address ^ 
group communication such as mailing list 

[0195] In this second embocfiment in order to resolve 
sucharHoblem, itisniadepossibletocany outagen- 5 
erationofanew1-to-NPAr and a content change or the 
existing 1 -to-N PAT by the Initiative of a user. 
[0198] First, the definition of various identifications 
used in this second errbodiment wil be descrbed with 
references to Fig. 8 and Rg. 9. io 
[0197] As shown in a part (a) of Rg. 8, the OID is an 
information comprising an arbitrary character string (tel- 
ephone number, email address, etc.) aoootdir^ to a ride 
by which the CA 1 can uniquely identify tlie user and a 
put^ key. which is signed by the CA1. is 
[0198] Also, as shonn in a part (b) of Ftg. 8. the AID is 
an information comprising fragments of the OID and 
ttieir position informatioa redundant character strings, 
and an SCS information given by an aibitrary character 
string (host name* real domain name, etc.) by wNch a so 
host or a donraln that is operating Ifie SCS 5 can be 
uniquely identSied on the n^worK which is signed by 
theCAL 

[0199] Also, as shown in a part (c) of Fig, 8. the 1 -to- 
N PAT is an information conprising two or more AIDs, a 25 
holder index, the valkirty period, tfie trar^fer control flag, 
and a PAT processing device identifier, which is signed 
using a secret Key of the PAT processing de/ica 
[0200!] Hare, one of the AHH isahoUerAIDofthis 
PAT. where the change of the infunnaii on oOTiained in so 
the PAT such as an adc&fion of AID to the PAX a deletion 
of AID from the PAT. a change of the validity period in 
the PAT, a change of the trans^ control flag value in the 
PAT. etc.. can be maOe pres&ifing the holder AID 
and a corresponcfing Enabler to the PAT processing 3S 
device. 

[0201] On the other hand, the AIDs other than the 
holder AID that are contained in the PAT are all memt>er 
AIDS, where a change d the information contained in 
the PAT cannot be made even when the member AID 40 
and a corresponding Ena^er are presented to the PAT 
proc^sng device. 

[0202] The hdder index is a numaical data fof identi- 
fying the holder AID, which is defined to take a value 1 
when the holder AID is a top AID in the AID list formed 4S 
from the hdder AID and the member AIDs. a value 2 
when the holder AID is a second AID from the top of the 
AID list or a value n when the holder AID is an n-th AID 
from the top of the AID list. 

[0203] The trai^fer control flag value is defined to take so 
either 0 or 1 sirr^rfy as in tiie case of the 1-to-1 PAT. 
[0204] The holder AID is ddined to t» an AID which 
is written at a position of the holder index value in the 
Al D fist The menti:>er AIDs are defined to be all the Al Ds 
other tto the fiolder AID. 55 
[0205] The vafidity period Is d^ined tsy any one or 
con^ination of the number of times lor which the FWT is 
available, the absolute time (UTC) by which ttie PAT 



becomes unavaiiabfe. the atoscMe time (UTQ bf which 
the PAT becomes avaiWe. and the relative time (Hfe- 
time) since the PAT becomes awalable witil it becomes 
unavail^e 

[P206] The Identifier of a PAT processing device (or a 
PAT processing object on the network} is defined as a 
serial number of the PAT processing device (or an dis- 
tinguished name of the PAT processing object on the 
netwal^. The secr^ key of the PAT processing device 
(or the PAT processing object on the r^etwork} is defined 
to be uniquely con-esponcfing to the ident^ier. 
[Q207] Also, in tfvs second embodvnent an EnaUer is 
introduced as an idortifier oon-esponding to the AID. As 
shown in Fig. 9. the Enabler is an iniormatk>n compM-iS' 
ing a ttmaxAer string iniquely irxficatmg that it is an 
Enable' and an AID Itself, which is signed the CA 1. 
[0208] Next the operations for a generation of a new 
R^T and a cont^ change d the eMsting f^T vrill be 
described. Here, the follamng operations are defined at 
a secure PAT processing device on the oomntimicafion 
terminal or a PAT processing objecl on the CA or on a 
network which is property requested torn the CA (which 
will also be relenred to as a RAT processing device here- 
after). 

1. Editing of AID Qst: 

A fist of AIDs (r^erred hereafter as an MD 6st) 
contairied in the PAT isedaed usirig MDs and Ena- 
bler. Else, the AID ist is newly generated. 

2. Setfing of tfie vaftS^ period nithe trevisfer con- 
trol flag: 

The validity period value and the transfer oorv 
trol flag value contained in the PAT are changed 
using an AID and Erobler. Also, a nm vaSdily 
period value and a new tastster corttnol flag value 
are set in the newly generated AID ist 

[0209] A user who presented the fielder AID and ttie 
Enabler corresponding to tfns holder AID to the PAT 
processing device can edit the fist of AIDs oontatned in 
the PAT In ttiis case, the foOowing processing rt4es are 
used. 

(1) Generating a new PAr(MakePAT) (see Fig, 10): 
The AID list (ALlST<Mder AID | member AID^. 

member AIDg. menter AlDn>) is 

newly generated, and the valkfity period value and 
the transfer control flag value are set with respect to 
the generated ALIST. 

AID^ AlDg <«- Er^bier of AID^ + Enat>ler of 
AIDa 

->ALIST<AIDa|A1Db> 

ALIST<AIDa I AIDb > + Enabler of AIDa 

•f valklity period value 
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••- transfer control fiag value 

-4PAT<AIDa|AIDb> 

(2) Merging PATs (MergePAT) ($ee Fig. 1 1): s 

A plurality of ALlSTs of the same lioider AID 
are merged and the validity period value and the 
transfer corrtrot flag value are set with respect to tiie 
merged ALIST 

ro 

ALIST<AIDa I AIDbi. AIDb2. > 

+ ALIST<AIDa I AIDci, AIDcg. > 

+ Enabler of AID^ is 

ALIST<AIDa I AIDbi. AIDb2. 

AIDci, AIDc2. > 

ALIST<A1Da I AIDbi. AIDb2. 20 

AIDci. AIDca. > 

4- Enablef of AIDa va&dHy period value 

-I- transfer control flag value 25 



AUST<AIDa I AIDb > + AUST<AIDa I AlOci, 
AIDc^ > 

•t- End3ler of AIDa Enadbler of AIDb 

AUST<AIDb 1 AIDci, AIDcg. 

> 

ALIST<AIDb I AIDcv AIDcz, > 

+ Enabler of AIDb validity period value 

•f transfer control flag value 

PAT<AIDb I AIDq,, AIDc2. > 

[0210] In the operation for setting ttie validity period 
value, in orde* to permit the setting of the valicfity period 
value only to a user who holds tsoth the holde- AID and 
the corresponcfing Enabler, the fo9owing openatkm is 
defined. 

RffTKAIDA I AIOb > ^ Biabier of AIDa 
•«> validity period vedue 



PAT<AIDa 1 AIDbi , AIDb2. , 

AIDd, AIDc2, > 

(3) Splitting a PAT (SplitPAT) (see Fig. 12): so 

The ALIST is spfit into a plurality of AUSTs of 
the same holder AID, and the respective valicfity 
period value and transfer control flag value are set 
with respect to each one of the split /^ISTs. 

ss 

ALIST<AIDa I AIDbi. AIDb2. 

AIDci. AlDc2. ♦•••••••> 



'^PAT<A1Da|AI0b> 

1)0211] In the operation tor setting the transfer control 
flag vEdue; in oRter to permit the setting of the transler 
control flag value onty to a user wtx> holds both the 
holder AO and the ooiresponding Enabler. the Mowing 
operation is deOned. 

PAr<AIDA i AIDb > + &i^3fer of AIDa 
+ trarefer corrtrol flag value 



•I- Enabler of AIDa 

40 

-►ALJST<AIDa|AIDbi,AIDb2. • > 

+ ALIST<AtDA I AIDci, AIDcg. > 

ALIST<AIDa I AIDci, AIDc2. > 45 

+ Enabler of AIDa validity period value 
+ transfer control flag value 

60 

PAr<AIDA I AIDci ■ AIDc2. > 

(4) Changing a hoWer of a PAT (TransPAT) (see Fig. 
13): 

The holder AID of the ALIST is changed, and ss 
the validity period value and the transfer control flag 
value are set with respect to the changed ALIST. 



->PAr<AIDA|AIDB> 

PI212] Next, with references to Fig. 14 to Fig. 20. the 
overall system oonftguration of this second embocfiment 
w9 be descrttMd. In Rg. 14 to Ftg. 20. the user-A who 
has AIDa aRocated from the CA stores AIDa Ena- 
tHer dt AIDa ^ ^ computer of the user-A, and the 
input/output devices such as floppy disk drive. CD-ROM 
diive, communication board, nvcrophone. speaker, etc.. 
are connected. Else. AIDa and Enabler of AIDa are 
stored in a oommunicatk)n terminal (telephone, cellular 
phone, etc.) whk:h has a storage device and a data 
input/output functioa 

[0213] Slmitarfy. the user-B who has AIDg allocated 
from the CA stares AIDg and Enatsler of AIDb in a com- 
puter of the user-B. and the input/output devices such 
as floppy disk drive. CD-ROf^ drive, communk»tion 
board, microphone, speaker, etc.. are connected. Else, 
AIDb Enabler of AIDb stored in a communica- 
t»n terminal (telephone, cellular phone, eta) which has 
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a stoTE^e device and a data Input/output iunctic^. 
[0214] In the follofwmg. a procedure by which the user* 
A generates PAT<AtDA | AIDg > wifl be desaibed. 

(1) The user^A acquires A!Db and Enabter of AIDb 5 
using any of the following means. 

* AID3 and Enabier of AID3 are registered at the 
ADS 7, and it is watted until the user-A acquires 
them as a search result (Rg. 1 4). 10 

* AIDb arid Enabier of AIDb ^® directly transac- 
ted I0 the user-A by the anail, signaing, etc. 
(Rgs. 15. 16). 

* AIDq and Enabier of AlDg are stored in a mag- 
netic, optic, or ^ectronic medium such as is 
flopW cfisK CD-ROM, MO. IC card. and 
tf^ mecfium is given to the user-A. Else, it is 
waited untS the user acquires them by re«Sng 
this mediifln (Figs. 17. 18). 

' AIDb Enabier of AIDb printed on a 20 
paper medium such as booK name caid, elc.. 
and this medium is given to the us^- A Else, it 
is waited unta the user-A acquire them by read- 
ily this medium (Rgs. 19, 20). 

25 

(2) The user-A who has acqured AIDb ^ Enabier 
of AIDb by any of the means descrt>ed in the above 
(1) issues the MakeRAJ command to the mr 
processing device. This procedure is common to 
Rg. 14 to Fig. 20, and defined as follows. so 



-►PATcAIDa|AIDb> 

(e) The PAT processing device tiansmits the 
generated RAT<A(Oa I AIDb > to tie oommura- 
cationtemiraloftheuserAortoIhe commu- 
nication terrrurtal of the user-B aoooRfe^ to the 
r>eed. by means such as the em^. signaltng. 
etc 

(f) The comrmnication terrrcna) of the user-A 
(or the user-B) stores the received R^<AIDa | 

. AIDb > in the storage device of the communlca- 
fksn tenranal of tlie user-A. 

[021 5] The merging of PATs (MergePAT, Rg. 21 . Rg. 
23). the splitting of a R«r(SplitPAT. Rg. 22. Rg. 23), and 
tiie changing of a hokter of a FWT (TransPAT. Rg, 21. 
Rg. 23) are also carried out by the sknilar procedure. 
IQ216] Next the procedure of MakePAT. MergePAT 
and TransPAT wOl be deserved with reference to Rg. 
21. 

(1) The holder AID is specified (step S441 1). 

(2) All the men^ AIDs are specified (step 84412). 

(3) The AID Bst is gen«ated from the specified 
holder AID and all the specified member AIDs (step 
S4413). More specifically, the specified holder AD 
ard aQ the specified meni)er AIDs are concate- 
nated lAuu^ art^tiouy means. 

(4) A tentative MT is generated using artxirary 
means, simtaly 8s Inthe case of a tentative AID 
(slepS44l4). 

(5) The generated AID fist is coped to a prescribed 
regkxi of the generated tsitative mT (step S441 5). 

(6) The Mder mdex value is written into the tenta- 
tive pat to wfiich the AID fet has been copied (step 
S4416). 

(7) The transfer control flag value is written into the 
tentative MT into wfitch tfie holder index value has 
be^ written (step S4417). 

(8) The val'Kfity period value is written into the tenta- 
tive PAT into which the transfer control flag vatoe 
has been written (step S4418). 

(9) The PAT processing device iderrtifter is written 
into the tentative R^T into wtiich the validity period 
value has be^ written (step S4419). 

(1 0) The tentative PAT into which the PAT process- 
ing device ider^er has be^ written is signed 
using the secret of the RAJ processing device 
(stepS4420). 

[0217] Next the procedure of SpfitPKT wHI be 
described with reference to Rg. 22. 

(1) The holder AID ts specfTted (step S451 1). 

(2) Ail the AIDs to be the member AIDs of the PATs 
after the spltttir^ are spedfted (step S4512). 

(3) The AID list is generated from the spedfted 
holder AID and all the spedf ied member AIDs (step 



(a) The user-A requests the issuance of the 
MakePAT command t^ setting AID^. Enabta- of 
AIDa, AIDb. Enabier of AIDg, the validity period 
value, and the transler control flag value into 3S 
the communication terminal of the user-A 

(b) The canmunication terminal of the user-A 
generates the MedcePAT command. 

(c) The communication terminal of the user-A 
transn^ the generated MakePAT command to 40 
the PAT processing device by means such as 
tiie email, agnaling, etc. (the issuance of the 
MakePAT command). 

(d) The PAT processing device generates 
PAT<AIDa I A!Db > by processing the received 45 
MakePAT commarKl according to Fig. 21 aixj 
Rg. 23. More spedfically. this is done as fol- 
tows. 

AIDa -i- AIDb * Enabier of AIDb + EnaUer so 
of AIDa 

^ALIST<AIDa|AIDb> 

ALIST <AIDa I AIDb > * Enabier of AIDa ^ 

-I- valicfity pertod value + transfer control 
flag value 
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S4513). More specifically, the specifidd holder AID 
and all ttie specifjed metrber AtDs are concate- 
nated using arbitrary means. 

(4) A tentative PAT is generated using arbitrary 
means, similarly as in the case of a tentative AID s 
(step S4514). 

(5) The generated AID list is copied to a preserved 
region of the generated tentative PAT (step S451 5). 

(6) The holder index value is written into the terrta- 
tive pat to which the AID list has t>een copied (step ic 
S4516). 

(7) The transfer control flag value is written into the 
tentative PAT into v^ich the holder index value has 
tjeen written (step S4517). 

(8) The validity period value is written into the tenta- is 
tive PAT irrto wtnch the transfer control flag value 
has t>een written (step S4518]. 

(9) The RW processir^g device identifier is written 
Bito the tentative PAT into which the validity period 
value has been written (step S451 9). so 

(10) The tentative PAT into which the PAT piocess- 
mg device identifier t>een written is s^ed 
using the seaet key of the PAT processing device 
(St€pS4620). 

(11) In the case of continiing the splitting (step 25 
S4521 YES), the procedure returns to (2). and 
repeals (2) to (10) sequentially 

[0218] Note that, in the procedures of Fig. 21 and Ftg. 
22, the AID list generation is carried out acoofdkig to ao 
Fig. 23 as follows. Namely, a buffer length is determined 
first (step S4611) and a buffer is generated (step 
S4612]. Then, the holder AID is copied to a vacant 
region of the geneiated buffer (step S4613). Then, tfie 
menr^ AID is copied to a vacant re^on of the resutttng 35 
buffer (step 84614). and if the next member AID exists 
(step S4615 YES), tfie st^ S4614 is repeated. 
[0219] Next, the determination of the holder AID will 
be desa^ Each of the Makef^T. the Merg^AT. the 
SpRtPAT. and the TransPAT commands is defined to 4o 
ham two or more arguments, where AID. PAT. or Ena- 
Uer can be specified as an argument in this case, the 
PAT proc^sing device specifies the holder AID of the 
PAT to be outputted after executing each ccxnmand 
according to the following rules. 4S 

* CaseoftheMakePAT: 

For the MaKePAT conmand. h is defined that 
AIDs ^e to be specif ted for tfie first argument to ttie 

N-th argument (N =5 2, 3, ) and Ena- so 

Hers are to be specified for the H+^ -th and subse- 
quent arguments. For rample. they can be 
specified as follows. 

MakePAT AID,. AIDg. AID^. 55 

Enabler of AID,. Enabler of AIDg. Enabler of 
AIDn 



The PAT processing device interprets the AID 
Of the first argument of the MakePAT command as 
the holder AID. 

OrAy when one of the Bublers of the tM^1-th 
and subsequent argimrtems corresponds to the AID 
of the first aigument, tie PAT processing 6&Ace 
specifies tNs AID (that is the AID of the first argu- 
ment) as the holder AID of the PAT to be outputted 
aft^ executing the MakefWTconvnand. 

* Case of the MeigePAT: 

For tfie MergeFW conmand. it is defined that 
PATs are to be spedTied for the first argument to the 
N-th argument (N«2,3. ••••••••) and Ena- 
bler is to be specified for ttie N4-1*th argument. 
Namely, they can be specified as foBoMws. 

MeigeRAT PAT, PATg PATn Ena- 

bterofAID 

The PAT pmcessrig device irtterprels the 
holder AID of «ie BffiT of Ihe first argument of the 
Merg^W command as ftte holder AID of the mr 
to be ou^Hitted after executing the MergeRAT com* 
mand. 

Only when the BnatHef of the N+1-th aigument 
corresponds to the hold^ AID of ttie PAT of the first 
argument ^ RAT processk^ device specifies this 
AID (that is the holder AID of the PAT of the first 
argument} as the Md^ AID of the PAT to be out- 
putted after eKBGu&ig Ihe Merg^¥Cr oommand. 

* Cased! the SpfitFKT: 

l=or the SpiftfW tomma ii d . it is defined that 
F¥J is tobe specified for the first argun^ aset of 
one or more AIDs grouped together tTy some pre- 
scrfoed ^mbols (assumed to t>e parentieses 0 ^ 
ijias exarrpfe) are to t)e specified for the second 
argiffrtent to the N-th aigument (N b 3, 4. 

* • ). and Enabler is to be specified for 

the N+1-th argument Namely, they can be speci- 
fied as fellows. 

SpIitPAT PATi (AID11) {AID21 AIDga) 

(AIDni AIOn2 

AID^nd) Enabler of AiD 

The PAT processing device interprets the 
holder AID of the PAT of the first argumem of the 
SplitPAT command as the holder AID of the PAT to 
be outputted after executing the SplitPAT com- 
mand 

Only wtien the Enabler of the N+1-th argument 
corresponds to the holder AID of the PAT of the first 
argum^ the PAT processing device spectTies this 
AID (that is the holder AID of the PAT of the first 
argument as the holder AID of the PAT to be out- 
putted after executing the SplitPAT convnand. 
" CaseoftheTransRAT: 

For the TransPAT command, it is defined that 
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PATs are to be specified for the first argtBTienl and 
the second argunient. AJD is to be ^>ecif ied for the 
third ar^iment. and Er^ers are to be spedfied for 
the fourth argument and the fifth argument Namely; 
they can be specfTied as follows. 5 

TransPAT PATi PATg AID Enatter of AID1 Ena- 
blerof AID2 

TTie PAT processing device interprets the AID 10 
Of the third argument as the holder AID of the RAT 
to be outputted after executing the TransPAT com- 
mand provided that the AID of the third argument of 
the TransRAT command is contained in the PAT of 
the second argument 75 

Only when the EnaUer of the fourth argument 
corresponds to both the PAT of the first argument 
and the PAT of the second argunrwnt and the Ena- 
bier of the fifth argument corresponds to the AID of 
the third argument the PAT prooessmg device 20 
specifies the AID of the third ar^mient as the 
holder AID of the PAT to be outputted after execut- 
mg the TransPAT command. 

Next the determmtion of the member AIDs 
will be descri>ed. The delirytiorts of the MakePAT. 2s 
the MergePAT, the SpRtBfiJ, and frie TransPAT com- 
mands are as descrbed above. The RAT process- 
ing device specifies the mento AIDs of the PATto 
be outputted after executing each commarxj 
acoording to the foUowring ndes. 30 

* CaseoftheMaKePAT: 

Oi^ when the hoMer AID of the PAT to be out- 
putted after executing the MakePAT command is 
fornaOy determined, the PAT processir^ device 
interprets all the AIDs of ttie second and subse- 35 
quert arguments of ttne MakePAT command as the 
member AIDs of the PAT to be outputted after exe- 
cuting the MakePAT command. 

The PAT processing device spedfies ortly those 
A!Ds among an the AIDs of the second and subse- 40 
quent arguments which oonespond to the Enabiers 
specified by the N+1 -th and subsequent arguments 
as tfie member All^ of tfie PAT to be outputted 
after executir^ the MakePAT command. 

* Case of the MergePAT: 4s 

Only when the holder AID of the PAT to be out- 
putted an& ea^cuting tfie MergePAT command is 
formally detemmned. tfie PAT processing device 
specifies the member AIDs of all the PATs specified 

the first to N-th arguments of the MergePAT as so 
the menr*>er AIDs erf the PAT to be outputted after 
e}@aJting the MergePAT command. 

* Case of the SpirtPAT: 

Only when the hidder AID of the PAT to be out- 
putted after executing the SpirtPAT command is for- ss 
malty determined, the PAT processing device 
specifies the member AID of the PAT specified by 
the first argument of the SplitPAT command as the 



member AID of the PAT to be outputted after exe- 
cuting the SpBtf^ conwn an dL At tfiis point ^e 
menfoer AIDs are cfistributed ktto cfifferent PAfs in 
iffvts (4 parentheses 0- F<v exan^^ in the case of: 

SplitPAT PAT (AID11) {AID21 AID22) 

(AIDni ATDnz 

A1D^,M} Enablerof AID 

(AID11). {AIDg^ AID22) and (AIDhi AIDic 

AID^fyO win be the member AIDs of differein PATs hav- 
ing a common hoicter AID. 
• Case of TransPAT: 

Only whentheholder AID of the PAT to be out- 
putted after executing tfie TransPAT commarxj is 
formally determined, fbe PAT processing devk» 
specifies ail the member AiDs ranaining after 
excluding tfie member AID that is schecMed to be a 
new holder AID from ail the member AIDs of the 
PAT specified by the first argumait of the TrmPAT 
command and the member AIDs of the PAT speci- 
fied by tfie second SKgnsneri as flie member AIDs 
of the fW to be outputted after QDoaatfing the Trans- 
PAT command. 

IQ220] Next theverTicationcrftheprQpemessof the 
Enabler will t>e described. This verifk:afion d tfie prop- 
emess of the Enat)ier is common to the (MakePAT, tfie 
MetgeRAT tfie SpldRnr and tfie TiansiW. and carried 
otA aooofdii^ to ^g. 24 as foflows^ 

(1} AID and Enabler are entered (step S551 1). 
{2) Each of these entered MD and Estabker rs veri- 
fed using the r^jtbic key of tfie CA1 (stopS5512}. 
If at least one of tfiem is aftered (step SS513 YES), 
tfie processing is tenrvnated. 

(3) A character ^ring tor oerti^ffig ttiat it is Enabler 
is Altered (step S5514). 

(4) The top field of tfie Enabler of tfie step 85511 
and tfie character string of the step S5514 are com- 
pared (step SS515). If tfiey do not match (st^ 
8^16 NO), the processing is terminated. 

(5) tf ttiey match {step S5516 YES), tfie AID of tfie 
step S5511 and the AID vvrtfitn the Er^er are 
compar e d (step SS517). 

(6) A comparison residt is outputted (step S5519}. 

[0221] Next wtfh references to Fig. 25 to Rg. 28. flie 
third embodiment of the emaS access control sch^ne 
according to tfie present inventfon w9l be described in 

detail. 

[0222] In the gweration of a new PAT (MakePAT) and 
the PAT Iwlder ctiange (TransPAH of the above 
described entodiment it is necessary to give member 
AiDs and Enabiers of member AIDs to the hokier of the 
PAT. but when tfiey are given to tfie hokler, it becomes 
possible for that hokJer to partksipate the group conmi* 
nicatrons hosted by tfie otfier holdas t>y using tfie 
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acquired member AIDs. Namely, th^e arises a problem 
that the pretWKfing using the member AIDs become 
possible. Moreover, if that holder places the acquired 
member AIDs and Enablers of merrtjer AIDs on a 
medium that is readable by unspecified mariy, these 5 
member AIDs become accessftsle to anyone so that 
there arises a problem that the harassment to the users 
of the menlber AIDs may occur and the pretendir^ 
using the member AIDS by a third person also become 
possible. ,0 

I0223J For this reasoa in this third ent)odiment, it is 
made possible to carry out the MalcePAT and the Trans- 
PAT without giving the Enablers of membar AIDs to the 
holder. 

[0224] To this end. in tNs third embocfiment the gerv 75 
eration of a new PAT arKi the content change of the 
existing PAT are earned out by using Null-AID (AIDigyj,) 
and Enabler of Nuil>AID (Enabler of AID^ufi). 
[0225] Here, the processing involving the Nuli-AID 
oboys all of the following rules: 20 

(a) the processing rules of MakePAT. MergeFWT, 
SpfitPAT and TransRAT as in the above described 
embodiment: arxl 

(b) the rules appTicable only to the Null-AID. indud- 

ing: 

(i) Nuli-AID is known to every user, and 

CI) Enable of Niil-AID is known to every user. 

30 

[0226] . Here, the processing nte as defined in the- 
above described embocfiment in the case of tNs third 
mbodkrt&ett wSi be described. 

(1) Making a PAT from plural AIDs (MakePAT): 35 

AIDhokter + AID„„mbert +AID„„^^ + 
+ AiD,n^,rtbefN 

•I- Enabler of AID,ndmban + Enafc)ler of 40 

AIDnr,OTibe^+ 

4. Enabler of AID,„emberN + Enabler of AIDhoWer 

PAT<AIDhoktor I AID^^„^,i, AlD^,nb«2. « 
» AlDmombcrN > 

(2) Merging plural PATs of the same holder (Merge- 
PAT): 

60 

PATcAIDhoWer I AID^emberal. A(D^„bera2. 
AIDn^mb«„M > 

+ PATcAIDteWer I AlD„ie„4«rt,1. AID„«^rt>2. 
AIDn,emb«ibN > 55 

+ Enabler Of AIDhoider 



PAr<AlDhoicter I AID„,emberBl* AID„«„^2. 

• ^^^mewb&reM' AIDirombefbl • 

AIDn^n^b^, • • • . AIDmemboitsN > 

(3) Splitting a PAT into plural PATs of the same 
hokier (Sp»FAl): 

PAr<AID,^ I AID^emberal. ^^Omenib^t^2* 

• AID^nnberaM' AIDfn9„^rt>1* 

AlDn^nrt»ftj2. AID„,e^rtjN > 

^ Enabler of AID^K^dar 

^ PAr<AIDhaider I AID,„eitibem1. AID„^^. 
• • AIDflfjft^paM > 

+ PAT<AIDhokter I AID„,e^rt>1. AIDmemt>ertj2. 
» AID„,a,rt>«bN > 

(4) Changing a holder AID of a FWT (TransPAf): 

RAT<AIDhoUa, I AID,„«rtbemV AID„^^. 

« AID„,Bnifa8mM > + FW<A!DhrtdGr 

I AIOne,rt«fcter> 

+ Enable of AID^^, + EndWer of AID^^^^kter 

W<AiD„Bgrtiold«r 1 AIDmembeial. 
AIDmofflbowe. »AIDB,emberaM> 

1102271 The metiod for spectfymg the vaUdity perkxl 
vs^ue and tfie troffisfiar control flag value m the PAT con- 
taining the NuS-AID is sMar to me metrad for specif 
Big the valkfity period ^ue ssKi the transfer control flag 
vetfue in the second entedmnt described above. 
Next the eacenplary processings inwoMng the ^k^i-A^ 
wglt>edescri3edl 

(1) Case of producing PAT<AIDmu|, | AID^ > from 
AIDa and Enabler of AID^^: 

(a) According to the above described rules 

(b) (i) and (b)(fl) of the Null-AID. AID^ua and 
Enabler of AIDmuh are known. 
(b)UsangMahemr. 

AID^uh * AIDa -f Enabler of AID^ -1- Enabler 
oIAIDnud 

-*PAT<AIDnu„|AIDa>, 

(2) C^ase of producing PAT<A1Dmuh | AID^, AIDb > 
from PAT<AIDnu!i I AIDa > and PAT<AIDnu!i I AIDb 
>: 

(a) According to the above desaibed rules 

(b) (0 and (b)(a) of the Null-AID. AIDnud and 
Enabler of AIDnuh are known. 
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(b) Using MeigePAT 

PAT<AIDnu8 I AID;^ > + PAT<AIDf^^^, | AIDg 
> 

5 

•f-Enablerof AIDj^ug 
-*PAT<AID^u„|ADa.AIDb>. 

(3) Case of producing PAT<AID;^ | AlDg > from ic 
PAT<AIDnuII I AIDa >. PAT<AIDnuH I AIDb > and 
EnaUerof AIDa: 

(a) According to the above described ailes 

(b) (i) and (b)(n) of the Nitf-AID. A\D^^ and is 
EnaUer ol AIO^ are known. 
(b}Usai9TFansPAr. 



20 



PAT<AIDnuj f AIDa > + PAT<AIDn4^, | AJOq 
> 

+ Enabter of AIDhub + EnaW» Of AIDa 
-> PAr<AIDA I AIDb >. 



[0228] As Shown in Rg. 25. the data structure of the 
hhjil-AID comprises a character string uniquely indicat- 
ing that it is Null-AJO (a character string darned tsy the 
CA. for example), which is signed by me CA using the 
secret key of the CA. 3q 
[0229] Also, as ^X)wn in Rg. 26, the data structure of 
the EnaWer of NuB-AlD comprises a (rfiaiacter string 
uniquely indicating that it is Enabler (a character strmg 
defied by the CA. for example) and the Null-AID itsetf, 
which is signed by the CA using the secret of the as 
CA. 

[023Cq Note that the Nu»-AID and the Enabler of Null- 
AID are maintained at secure PAT processing detrices 
and secure PAT certification authority. 
10231 ] Next, the first exenpiary application of this third 
ent}odmi6nt will be described with reference to Fig, 27, 
which includes the following operations. 

(1) "me user-B (PAT member) generates FW<AID- 
Nuu I AIDb > by executing the above descrft>ed 45 
exemplary processing (1) involving the Null-AID at 
the seoire PAT procesang device which is con- 
nected with the terminal of the user-B, and gives it 

to the user-A (PAT holder) by art»lrary means. 

(2) The Lser-A who received FWr<AIO>jya I AIDg > so 
canies out the following operations at the secure 
PAT processing device which is connected with the 
terminal of the user-A. 



(a) PAT<A(DNufl I AIDa > « produced by execut- 
ing the above descrft^ed exemplary processing 
(1) involvir^ the Null-AID. 
W PAT<AIDa I AIDb > proAiced by execut- 



55 



ing the above described exemplary processing 
(3)invc^theNun-AlD. 

(3) The uB^-A gives the generated PAT<AiDA I 
AIDb > to the user-B by artsitiary means. 

(0232] Notethat the meflwd for detejTrtning the valid- 
ity period is the same as described above so that it ¥wli 
not be repeated here. Also, the processing involving tfie 
Nutl-AID is me same as described above so that it wfll 
not be repeated here. 

10233] In me case of giving PAT<AIDNun I AIDa, AIDb 
> to the user-B, the above described exempl»y 
processing (2) involving the Null-AID vriS be executed in 
the operation (2) described above. 
[0234] Next, the second exenplary application of this 
third embocfiment will be descrfoed with reference to 
Rg. 28. which includes the foflowmg operations. 

(1) The user-B (RW membef) produces PAr<AID- 
I AIDb > by executing me stove described 

eaoenplary processing (1) involvmg me NuS-AO at 
the secure RAT process^ device which is con- 
nected wim the terminai of the user-B, and re^st^s 
it along arbitfary cSsdosed t n fon mlio ii at the ADS. 

(2) The user-A produces PAr<AlD^ | AIDa > ^ 
etecUing me atxwe descifoed exempteiy process- 
ing (1) ffTvotving me Nufl-AID at the secuie PAT 
prooessffig device which is connected wim me ter- 
mral of the user-A. and presents it along aristrary 
search ooncftions to the ADa 

(3) When me personal iifo i nfc tf i on of me user-B 
satisfies the seaich oomfit i on s presetted by me 
iGer-A. me secure FW processing device con- 
nected wSh the ADS carries out the following cper- 
atfons. 

(a) PAT<AID^,j, I AIDa, AIDg > is produced by 
executing the above described exemplary 
processing (2) involving me NuU-AID. 
. (b) The produced PAT<AIDNm I AIDa. AIDg > is 
given tome ADa 

(4) Ihe ADS gives PAT<AIDk,uj I AIDa. AlDg > pro- 
Aiced t^y me FW processing device to the user-A, 

(5) The user-A who rec©ved PAr<AIDf|u|, | AIDa, 
AID5 > produces PAT<A1Da | AIDg > by executing 
me following TransPAT processing at the seethe 
PAT processing device which is connected wim me 
temiinalofme user-A. 

PAr<AIDryM, I AIDa > + PAr<AIDr^ I AIDa, 
AIDb> 

+ Enetoler of AIDm^j, + Enabler of AIDa 
-»RAT<AIDa|AIDb>. 
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[0235] Note lhal the method for determining the valid* 
ity period is the same as descrbed above so that it will 
not be repeated here. Also, the processing involving the 
Null-AfD is the same as descnbed above so that it will 
not be repeated hera f 
[0236] In the case of generating FWr<AIDA I AIDb > at 
the PAT processing device connected with the ADS. 
Enabler of AID^ will be given to that PAT processing 
device, and the above descril^ed exenplary processing 
(3) invdving the Null-AID wiO be executed in the opera- io 
tion (3) descri)ed above. 

[0237] In the case of generating PAT<A1Db I AIDa > at 
the PAT processing device connected with the ADS and 
S^ng It to the user*B. Enabler of AID^ will be given to 
that PKT processing device, and the above described is 
exemplary processing (3) invc^vtng the Null-AID mi be 
executed in the operation (3) descrtt>ed atK>ve. 
[0236] Next, with references to Rg. 29 to Rg. 31 , the 
fourth emtxxAment of the enriaO access control scheme 
according to the present invention will be descried in 20 
detail. 

[0239] In the group communication, a situation where 
it is desired to fix the participants is frequently encoun- 
tered, but the above descrt)ed embocfiment does not 
have a function for making it inrposstole to change the 25 
PAT so that the participants cannot be fixed. Namely, in 
the above described embodim^ whether or not to fix 
the participants is left to the iuOQ&n&it of the holder of 
the PAT 

[0240] For this reason, in this fourth embodiment, a so 
read only attribute is set up ffi the PAT. More specOically, 
in tfiis fourth embodiment the read only attribute is set 
up in the PAT by using God-AR) l^ooJl- 
[0241] Here, the processing invotving the God-AID 
ot>eys all of the following rules: 55 

(a) Gkxl-AlO is known to every user, arxi 

(b) the processing involving God-AID is allowed 
only in the following cases: 

40 

(t) a case where the AIDhoider neither AIDnia 
nor AIDqo^: 

PAT<AIDhoitter 1 AID„«^. AID^^. 
AID„Ktf,^i^ > + Enabler of 45 

PAT<AIDgod I AIDhoideP AID^^. 
AlDm^„^, ....... AID„«^rt^> 

so 

(if) a case where AIDhotd^r AID^uu: 

PAT<AIDNua I AIDmomberl. AlDr«mbor2. 
■ AIDme^rN > 

55 

+ Enablerof At[)|gup 

PAr<AIDgod I AID„^„ber1. AID^„^^^. 



* • AID„^e^rt^j > 

[0242] As shown in Rg. 29, the data structure of the 
Qod-AID comprises a character string uniquely int£cat- 
mgtt^ it is God-AID (a charader strmg deTmed by the 
CA, Ibr example), wfvch is signed by tfie CA using the 
secret key of the CA. The Qod-AiD is maintained at the 
secure BVT processing devk:es and the secure PAT c^- 
tif ication authority described above. 
[0243] The processings of a PAT tiat contains the 
NuH'AID are according to Rg. 21 to Rg. 24. When the 
holder AID is neither NuR-AlO nor Qod-AID. the God- 
AID is appended I0 the AID list and the hoUer index 
value speciried to be a position of tie God-AID in the 
AID list after appending the God-AID. When the hokier 
AID is Niil-AID. the NuO-AID is deleted from the AID list 
the God-AID is appended to the AID 1st. and then the 
holder index value is specified to be a position of the 
God-AID in the AID Sst after appenc^ng the God-AID. 
[0244] Next, the eocenrplary appfic^ion of this fourth 
entxxfimentwiabede9crtt)ed«irithreferenoelDFig. 30. 
[02451 In ttie case of producing fm<AfDQod I AIDa, 
AIDb > from PAr<AIDf^ | AID^ > swd fVSar<AIDNoi | 
AIDb >. the foBowing processing is executed at the 
secure PAT proces^r^ device which is connected wHh 
the terminal of the PAT tickler (leer^ in Fig, 30). 

(1) Using MergePAT 

PAr<AID,*j, I AIDa > + RAT<AID^^ | AIDb > 
4. Enabler of AIOnua 

RKr<AIO|siui 1 AIDa, AIDq >. 

(2) Accortfing to tt>e above described nde (a) of the 
God-AID. AIDood is Known. 

(3) According to the above described rule (b)(1) of 
theGod-AIDi 

PAT<A1Dnuii I AIOa. AIDb > * Enabler of AIDnub 

RWr<AIDgod I AIDa. AIDb > 

[0246] The above processing is eSso executed at tiie 
secure RAT processing devtee connected with a compu- 
ter (search ^ine. etc.) of the third person (Rg. 31) or 
at the secure RAT certification authori^. 
[0247] with reference to Fig. 32. the fifth embod- 
Unent of the email access control scheme according to 
the present Invention will be described in detail. 
[0248] When the NuS-AID is added as described in the 
third embodiment ttiere arises a problem that it 
becomes possible for the holder of the PAT (the user of 
the holder AID) to transfer the access right with respect 
to the member (the user of the member AID) to the tWrd 
person, and rrareover this transfer can be done without 
a pemitssion of the member, as will be descrit»ed now. 
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(1) The hoWer-A of PAT<A!Da | AIDg > (for the 
member-B) produces PAT<AIDnu| | AIDb > by using 
PAT<AIDa I AIDb >> AID^ and Enabter of AIDa- 
Here, it is assumed thai the hold^-A knows at) of 
AIDa. Enabler of AIDa. AIDn^I' and Enablef of AID- 5 
i^uii in addition to PAT<AtDA I AIDg >. 

(a) The holder-A produces PAT<AIDa I AID^yn 

> using the MakeRAT as follows. 

AIDa AID^uii -f Enabler of AIDmuii -f Ena- 
bier of AIDa 

-^PAT<AIDa|AIDnu,i> 

(b) The holder-A produces PAT<A1Dnu|| | AIDb 

> using the TransPAT as follows, 

PAT<AIDa I AIDb > + PAr<AIDA | AIDnuh > 
+ Enabter of AIDa Enabler of AID^^^^ 
RAT<AIDNi^ I AIDb > 



After the above described opetation (l)(b). the 
holder-A gives PAT<AiD}y}ug | AlDg > to the INrd per> 
son-C. the following operation (2) beoomes possi- 
bla 

(2) The third persorvC produces RAT<AIOc ) AIDb > 
ty using PAr<AID|^ | AfDg >. Here, it is assumed 
that the third person-C knows all of AID^ Enabler 
of AIDq. AtD^i^. and Enatsler of AJD^gQ In addition 
toPAT<AtDNuD|AIDB>. 

(a) The third person-C produces RAT<AIDuuii I 
AlDc > using the MakePAT as follows. 

AIDnus -i- AIDc •¥ Enabler of AIDq 4- Ena- 
bler of AID|)4uii 

^PAT<AIDnuu|AIDc> 

(b) The third person-C produces PAT<AIDc | 
AIDb > the TransRAT as follows. 

PAT<AiDNui t AIDb > + PAT<AIDnuii I AIDc 
> 

•I- Enabler of AIDnuh + Enabler of AIDc 

->PAT<AIDc|AIDb> 

[0249] As a result of the above described operation 
{2)(b). the third person-C obtains PAT<AIDo | AIDg > so 
that accesses to the member-6 become possii^e. 
[0250] For this reason, in this fifth errtecEmertt it is 
made impossible for the holder of PAT<AtD},oictor I AID- 



fnenixr > tO PfOduce PATcAIDnuH I AIDmentaer > frOm thiS 

PAT<AlDhoidor I AIDmember > as ksng as the holder does 
not know Enabler of AlDmsnte^ 
[0251] In the third enfoodknent descrbed atiove, in 
order for the RAT holder to produce PAT<A!DNuii I AID- 
jpember > without using Enabler of AID„,e,^p it is neces- 
sary to produce PAr<AIDf>otdor I ^^^hua >- 
[0252] To dirs end. in this fifth embo(£ment for the 
Nuli-AID described in the third embedment the foifow- 
rng n4e e added: 

* the NuD-AID can be used only as the hofoa- AID of 
the PAT (the MuO-AID canrwt be used as the mem- 
b^AID). 

That is. PAT^AIDnuo I ^^^m^ni^^ AID„,^^. 

AIO„,einberN > S alkiwed. but 

PAT<AIDhoidef I AIDnuh. AIDmemben. AID„,«rtje^, 
AID„,embe»N > « "ot alfowed. 

Each of ^e secure PAT processing devices and 
the secure PAT cer ffica fionaidhority is additionaity 
ecpjipped with a function for checking whether fre 
Nuli-AlO is contained as the member An> or not 
This merrfoer AID cfiecMng processing is carried 
out acooRfmg to Rg. 32 as fofiows. 

(1) r4uD-AID and PAT are entered (step S691 1}. 

(2) All the member AIDs ere tak^ out from the 
PAT Altered at the step €6911 (stepS69l3). 
^) Each of file laten out menfoer AlOs is com- 
pared Witt) file mi-PSD entered at the 
S6911(stepS6919. 

tf all tie n»TtoerAI[3s do not oompi ^ y match 
with «ie NuS-AID (slepSe917 MO. step S6919 f^]. 
the processoig proceeds to the MengePAT. SptitPAT 
or TransPAT p rooe sdr i g (Ftg. 21 or Fig. 22) (step 
S6921). 

If there is a member AID that completely 
matches %vtth the NuB-AID (step S6917 YES), ttie 
processing is terminated. 

[0253] Next with reference to Rg. 33 to Fig. 39, the 
sixth emtKXfiment of the email access control scheme 
accortfing to the present irwention wSI be described in 
detail. 

[0254] This sixth emtxxiimertf differs from the first 
embodiment desabed above in that a link information 
is added to the AID of Fig. 2 used in the first embodi- 
ment as shown in a part (b) of Ftg. 34, while a lir^ infor- 
mation of the AID is set instead of the AID itself thai 
corttained in the 1-to-1 PAT of Fig. 2. as shown in a part 
(c) of Fig. 34. such that the AID Is LRiiqudy identified 
tfie link information. 

[0255] Hate that such an AID to which the Gnk infor- 
mation is added will t>e r^rred to as a link information 
attached AID, and a 1-to-l PAT having the link inlbrnna- 
tionof the AID will be referred to as a link specifying 1- 
I0-I PAT. Also, the Gnk information is an information 
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capable of uniquely identifying the AID, wtiich is given 
by a kind of data generally known as identtf ier such as a 
serki nunt»er urvquely assigned to the AID by the CA 
for example. 

[02S6] Fig. 33 shows an overall configuration of a 5 
oommunicafion system m this sixth embodiment. 
[0257] In Fig. 33, the CA (Certification Authority) 1 has 
a right to auth^'^te OlDs and a rig^ to Issue AIDs. 
and functions to alkx^ate AIDs to users 3. 
[0258] The SOS (Secure Communication Service) 5 io 
transfers emails among the users 3. can'ies out the 
rec^ng refusal and the klentity judgement and the 
extraction of the OID aooording to the need. 
[0259] The ADS (Anonymous Directory Service) 7 is 
a datatase for managing the AID. the transfer control 75 
flag value, the validity period value, and the disck)sed 
information of each user 3. The ADS 7 has a function to 
gen^e the PAT from the AID of a searcher and the 
AID of a registrant who satisfies the search conditions, 
and issue it to the searcher. 20 
[0260] A series of processing from generating the AID 
from the OID according to a request from a user untH 
allocating the AID to that user is basically the same as 
in the first embodiment except thai the link infbmiatton 
is to be added, which wiO now tie described wAh refer- 25 
ence to Fig. 34. 

[0261 ] Fig, 34 shows exemplary formats of the OID, 
the link information attached AID. and the link specifying 
1 -to-1 PAJ. As shown in a part (a) Off Fig. 34. the OID is 
an information comprising an cutritrary chcvacter stririg so 
accorcSng to a rule tsy which the CA 1 can uniquely iden- 
tify the user and a publk: key. which is signed by the CA 
1. 

[0262] Also, as shown in a part ^) of Fig. 34. the link 
information attached AID is an infomnatbn con^ising ss 
fragments of the OID and their position infornration, 
redundant cfwacter ^ings, an SCS information given 
by an arbitrary character string (host name, real doman 
name, eta) t^ ytfhk:h a host or a dorhain that is operat- 
ing the SCS 5 can be tmiqu^y identmed on the netwoik. 40 
and the link infbrmatkm, which is signed by the CA 1. 
[0263] Also, as shown in a part (c) of Fig. 34. the link 
specifying 1 -to-1 PAT is an inforrrstion oonrprising the 
transfer control flag, the link information of AID0. the link 
information of AID^, and the validity period, whk*i is 45 
signed by the ADS 7 using a seaet key of the ADS 7. 
[0264] A procedure by wtuch the user 3 requests the 
link infonfnatton attached AID to the CA 1 is the same as 
that of the first emtxxJiment. A procedure by which the 
CA 1 issues the link information attached AID to the so 
user 3 in response to a reque^ for the AID is also the 
same as that of the first embodiment. 
[0265] Next, the link information attached AID gener- 
ation processing at the CA wilt be described with refer- 
ence to Fig. 35. ss 
[0266] in the procedure of Rg. 35, the CA 1 generates 
an infbrmation of a length equal to the total length L of 
the OID, and sets this ^formation as a tentative AID 



(st^S7211).Tben, in order to cany out the partalct^ 
ying of the OfD. values of parameters pi arxi for spec- 
ifying a copying region are determined using aitwtrary 
means such as random number generatfon respectively 
(step 37213). Here, Lis equal to the total length L of the 
OID. and /| is an artJitfarHy defhed value within a range 
in wNch a reSaffonship of 0 s /j s L holds. Th^ an infor- 
matfon in a range t>etween a position pj to a positk>n pi 
/i from the top erf the OID is copied to the same posi- 
tions in the tentative AID (st^ S7215). In other words, 
this OID fragment vM be copies to a range between a 
positfon Pi and a positfon p| -i- from the top of the ten- 
tative AID. Then, the values of p{ and are written into a 
prescribed range in the tentative AtD into wfik:h the OID 
has been partially copied, in a fomn encrypted by an 
aititrary means (step S7217). Then, an SCS informa- 
tion given bf an artMtrary character strir^ (host name, 
real domain, etc.) that can uniquely identify a host or a 
domain that is operating the SCS 5 on t^ie network is 
written txtto a presoitied range in the t^itative AID into 
which these yaiues are written (step S721 9). Then, tte 
link informatkm is written (step 87220). Then, the tenta- 
tive AID into wIMi the alxMe chaader string and ttie 
bik informatfon are written is signed using a secret key 
oftheCAl (step 87221). 

[0267] Next a procedure for registering the AID of a 
user-B 3 and the cfisdosed information into the AOS 7 
wiO tie descnbed First the t)idn^ectfonai authen ti cation 
by adMbaiy mem usingtite AID of theu6er-B3aidlhe 
oertif icale of the ADS 7 is canied out between 0)6 user- 
B 3 wlio is a regisbartf and the ADS 7. Then, ttie user-B 
3 tnansnvts the transfer oorttrot flag vsdue, the vaSdity 
period v^ue, and the cfisdosed informatfon such as 
interests to the ADS 7. Then, the ADS 7 stores the 
transfer control f tag value, the valitfity period value, and 
the OTtire <fisck3sed information in relatfon to ttie AID of 
the user-B 3 n its storage devfoe. Here, tfiere can be 
G^es where oonmrunicatfons betwe^ the user*B 3 
who is the registrant and the ADS 7 ere to be encrypted. 
[0268] Next, a procedure by whfoh a user-A 3 
searches through the discfosed information that is reg- 
istered in the ADS 7 will be descrfoed. First the bidirec- 
tional authentication t^aitxtrarymeens using ttie AID of 
the user-A 3 and the cerdficate of the ADS 7 ts csrried 
out t)etween the user-A 3 who is a searcher and the 
ADS 7. Then, the user-A 3 transmits artntiBry search 
conditions to the ADS 7, Then, ttie ADS 7 presents all 
the received search conditions to its storage device, and 
extracts the AID of a registrant wf«;h satisfies these 
search conditions. Then, the ADS 7 genmtes the fink 
specifying 1-to-1 PAT from the link information of the 
AID of the user-A 3 and the link information of the AID of 
the registrant who satisfied the s^ch conditions, the 
transfer control flag value, and the vaikdity period value. 
Then, the ADS 7 transmits the generated PAT to the 
user-A 3. Here, there can be cases where communica- 
tions between the user*A 3 ¥/ho is a searcher and the 
ADS 7 are to be encrypted. Note that the link specifying 
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l-to-l PAT is generated as a search result of the ADS 7. 
[0269] Next the fink specifying 1 -to-l PAT generation 
processing at the ADS 7 will t^e descrft^ed with refer- 
ence to Rg. 36. 

[0270] Rrst an information of a prescribed length is 
generated, and this infonmatton is set as a tentative PAT 
(st^ S7510}. Thea the link information of the AID of 
the user*A 3 wtK> is a searcher and the link information 
of the AID of the user-B 3 who is a registranl are copied 
into a f»-escra)ed region of the tentative PAT (step 
87516). Then, the transfer control flag value and the 
validity period value are written into respective pre- 
served regions of the tentative PAT into which the link 
informations of the AIDs are copied (step 8751 7). Then, 
the tentative RAT into which these values are written is 
^gned using a secret key of the ADS 7 (step S7519}. 
[0271 ] Next the transfer control using the Bnk specify- 
ing 1-to-1 PAT will be descrSoed- The transfer control is 
a function for limiting accesses to a user who has a 
proper access right from a third person to whom the PAT 
has been tra ns f e rred or who has eavesdropped the RW 
(a user who originally does not have tfie access right). 
[0272] The ADS 7 and the user-B 3 of the registrant 
AID can prohibit a connectk>n to the user-B 3 from a 
third person who does not have the access right by set- 
ting a certain value in to the transfa* control flag of the 
PAT 

[0273] When the trarister control flag value is set to be 
1 , the senders AID is authenticated between the SCS 5 
and the sender acconfing to an arbitrary chal- 
lenge/response process, so that even H the sender 
gives both the senders AID and the PAT to another user 
otfier than the sender, that another user wS not be able 
to make a connection to the registr ant of the AOS 7 
through the SCS 5. 

[Q274] On the other hand, when the transfer centred 
flag value is set to be 0, no cfiallenge/response fxocess 
will be carried out between the SCS 5 and the sender, 
so that if the sender gives both the senders AID and the 
PAT to anotheri^r other than the sender, that another 
user will also be able to make a connection to the regis- 
trant of the ADS 7 through the SCS 5. 
[0273] Next, the email access control metfiod at the 
SCS 5 will be descrbed with reference to Rg. 37. 
[0276] The sender specifies Tsender's AlD]@[reai 
domain of SCS of sender]" in Rom: One, and 
''[PATl<g>[real domain of SCS of senderf in To; Bna 
[0277] The SCS 5 acquires a mail recaved by an MTA 
(Message Transfer Agent) such as SMTP (Sorple Mail 
Transfer Protocol), and executes the processing of Fig. 
37 as follows. 

(1) The signature of the RftT is verified using a pub- 
Bc key of the ADS 7 (step S7713). 

When the PAT is found to have been altered 
(step S7715 YES), the mail is discarded and the 
processing is temninated (step S7716). 

When the PAT is fotfftd to have been not altered 



(^ep S7715 NO), the folkMnng processing (2) is 
executed. 

(2) The search is carried out by presenting ttie link 
information of the senders AID to the RAT (steps 
5 S7717, 87720,87722). 

When a fink informatkm tfial completely 
matches with ttie laik informatk)n of the senders 
AID is not contained in the PAT (step S7723 NO), 
the mail is discarded and the procesang is termi- 
io nated (step S7716), 

When a Bnk tnformatk)n ttiat completely 
matches with tfie link information of the sexiers 
AID IS ccyitained in tfie PAT (step 87723 YES), the 
following processing 0} is executed. 
IS (3) The vafidity period value of tfie PAT is evahjated 
(steps S7725. S7727). 

Wh«i the PAT is outside the vaRdity perfod 
(s^ep 87727 NO), the maS ts discarded and the 
processing is terminated (step S7716}. 
2G When the PAT is within the vafidity period (Step 

S7727 YES). ^ folkiwing piooessing (4) is exe- 
cuted. 

(4) Wlietf^er or not to autfi^icate the sender is 
determined by r^errir^ to ttie transfer control flag 

26 value of the PAT (steps STTOI. S7733). 

WhOT the value is 1 (step S7733 YES), the 
SCS 5 aoqimes the sender s AD itself arvJ tfie pub- 
fic key of the sender's AID fay presenting the link 
informalfon to the GA 1, and then the chal- 

30 lengefresponseauttwntodon b et w een the SCS 5 
arvl the sender is carried out, and flie sgrtatm'e of 
the sender is verified (step S7735), When the sig- 
nature is vafid. the reopi&it is specrT^ and ttie PAT 
is attached (step S7737). When tfie signature is 

35 InvaKd, the mail is cfiscarded and the processing is 
terminated (step S7716). 

When the vafoe is 0 (step S7733 NO), the 
rec^)iem is specified and the PAT is attached with- 
out executing the chaOenge/iresponse authentfoa- 

40 tion (step S7737). 

[0278] The challenge/response authenticatfon 
t>etween the SCS 5 and tfie sender is tfie same as tfiat 
forthel-to-l f^T described abo^. 

45 [0279] Next a m^hod for specifying the recipient at 
the SCS 5 will be descHbed. First, the SCS 5 canies out 
the search by presenting the link information of the 
senders AID to the PAT, so as to acquire all the fink 
inlbrmatfons wf&ch do not oompletely match the link 

so informatioi of the senders AID. Then, the search is car- 
ried out by preseming all these acquired Gnk informa- 
tons to tfie CA 1 so as to acquire the AIDs. All these 
acquired AIDs wOl be defined as recipient's AIDs here- 
after. Then, for every recipient's AID, the real domain of 

ss SCS of recipient is taken out from tfie recipient's AID. 
Then, the redpienl is specSied in a format of ^reqpi- 
ent's AiD]@[real domain of SCS of recipienfr. Rnafly. 
the S(^ 5 cfianges the sender from a format of 
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"[sender^ AiD]@(rea] domain of SCS of sender]** to a 
formaX of "sender's AID', 

[02801 The method lor attaching the PAT at the SCS 5 
is the same as that for the 1 -to-1 PAT described above. 
[0281] Next, a method of receiving refusal with s 
respect to the RKT at the SCS 5 will be described. 
[0282] Rec^ng refajsal setting: The bicfirectlona] 
authentication is carried out by an arbitrary means 
between the user and the SCS 5- Then, the user trans- 
mits a registration conrvnand. his/her ow^ AID, and art>i- io 
trary FWs to the SCS 5. Then, the SCS 5 verifies the 
signature of the received AID. If the signature is invafel, 
the processing of the SCS 5 is terminated. If the signa- 
ture is valid, the SCS 5 next verifies the signature of 
each received PAT using a pubSc key of the ADS. Those is 
PATs with the inva&d signature are discarded t)y the 
SCS 5. When the signature is vaDd. the SCS 5 takes out 
the fink information from the received AID, and then car- 
nes out the search by presenting the taken out link infor- 
mation to each PAT. For each of those PATs which 20 
contain the link information that conpletely matches 
with the fink information of the received AID. the SCS 5 
presents the registration command and the PAT to the 
storage device such that the PAT is registered into the 
storage device Those RAJs wtitch do r^ contain the 25 
link nnformafion that completely niches with the I'mk 
inforrrstfon of the received AID are discarded by the 
SCS 5 without storing them into the storage devk;e. 
Here, there can be cases where comnxinicatiCMfis 
t)etween the user and the SCS 5 are to be encrypted 30 
[0283] Receiving refusal execution: The SCS 5 carries 
out the search by presenting the PAT to the storage 
device. When a RAT that complete matches the pre- 
sented PAT is registered in the storage devrce, the mail 
is discaided. When a that completely matches the ss 
presem PAT is not re^pstered in the storage device, the 
mail is not discarded. 

[0284] Receiving refusal cancellation: The t^dlr^- 
tfonal authentication is carried out by an art^itrary 
means between the user and the SCS 5. Then, the user 4o 
presents his/her own AID to the SCS 5. Thea the SCS 
5 verifies the signature of the received AID. H the signa- 
ture is invalid, the processing ^e SCS 5 is termi- 
nated. If the signature is valid, the SCS 5 next takes out 
the link intomiation from the presented AID. and 45 
presents the taksi out lir)k info-mation as a search con- 
dition to the storage device and acquire all the PATs that 
contain the presented link information, and then 
presents all the acquired PATs to the user. Then, the 
user selects aH the PATs for wftich the receiving refusal so 
Is to be cancelled by refening to all the PATs presented 
from the SCS 5. and transmits all the selected PATs 
along with a deietfon convnand to the SCS 5. Upon 
receiving the deletion command and all the PATs for 
which the receiving refusal is to be cancelled, the SCS ss 
5 presents the deletion command and all the PATs 
received from the user to the storage device, such that 
afl the received PATs are deleted fnom the storage 



devfoe. 

[0285] Note that the method of recehAriQ refusal with 
resped to the fink spedfyir^l-to-N PAT attheSCSSis 
the same as the method of rec^ng refusal with 
respect to the link specifying l-to-1 PAT described 
above. 

[P286] Next the judgement of identity w9l be 
desa ibed with reference to Fig. 38 and Fig. 39. 

(1) An initial value of a variable OID}y| is defried as 
a tii sequ^ice with a length equal to the total length 
L of the OID and all values equal to "0". Alsa an int- 
tiaf value of a variable OiD^ is d^ined as a 
sequence with a length equal to the total length of 
the OID and si values equal to 10" (step S791 1). 

(2) One link information attached AID is selected 
from a set of processing target link information 
attached AitDs. and the following bit processing is 
carried out (step S791 3). 

(a) yfykies of variables A\Dy^ and Aff)^ are 
determined aocotcfing to the position informa- 
tion oontasied in the firtk information atteictied 
AID (step S7915). Here. AIDm is defned as a 
txt sequence with a length equal to the tAa\ 
length L of the OID and a value erf a position at 
which the OID informatkn is drfined is "1" 
whMe a value d a portion at which the OID 
i nfon n atfo w is not defined is (see Bg. 39). 
Alsa AtDy is defined as a l)it sequence with a 
length equal to the total len^ Lof the 003 and 
a value of a posfon at which the OID informa- 
tion Is defvied is an actual value of the OID 
i n to ima tion wtiilea v^ueofa posiffonat wf»ch 
the OID informalfon is rx^ defined is 0 (see Fig. 
39). 

(b) AND processing of OID^ and AIO^ is car- 
ried out and its result is substituted into a varia- 
ble OVR^ (step S791 7). 

(c) AND prooessmg of OVR^ and AIDm as well 
as AND processing of CNH^ and OID^ are 
carried out and their results are cocrpared 
(step S7019). When they ooffttide, OR 
processing of OID^ and AID^ is carried out 
and its result Is sut)stituted into OID^ (step 
S7921), wNle OR processing of OlDy and AIDv 
is also earned out and its result is substituted 
Into OIDm (step S7923). On the other hand, 
when they do not cokicide. the processing pro- 
ceeds to tiie step S7925. 

(d) A link information attached AID to be proc- 
essed next is selected from a set of processing 
target lir^ information attached AID& vn^en at 
least one another link information attached AID 
is contained in the set, the steps S7913 to 
S7923 are executed for that another fink infor- 
mation attached AID. When no other link infor- 
mation attached AID is contained in the set. the 
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processing proceeds to the step S7927. 

(e) Values of OlD^ and OID^ are outputted 

(step S7927), 

[0287] The value of OIDm that is eventually obtained s 
Indicates all positions of the OID information tfiat can be 
recovered from the set of processing target fmk intonma- 
tion attacJied AIDs, Alsot the value of OlDv that is even- 
tually obtained incficates ail the OID irrfom^tion that can 
be recovered from the set of processing target link infer- io 
matk>n attached AID. in other words, by using the val- 
ues of OIDm and OlDvi It is possible to oblain the OID 
a&>eit prctabilisticalty wrh^ the value of OlOv i& used as 
a search condition, and it is possS^le to quantitafivety 
evaluate a precision of the abwe search by a ratio is 
01Dm/L vkrith respect to the to^ length L of the OiO. 
[0288] As descrft>ed atxsve, in this sixth embo(£ment 
the CA 1 whk:h is a Tmsted Third Party with Ngh 
secrecy and credbiGty generates the link information 
attached AID in the personal infom^ttion is con- so 
ce£ded. from the OID that oontans the Nghly seaet per- 
sonal information such as name, telepfione number, 
real email address, etc.. according to a user request 
and issues the AID to the user. By identifyrng the user 
bi this AID on the comrruinication network as well as in ^ 
vafk3us services provided on frie commurtcation net- 
work, it becomes pos^e to provide both the anonymity 
giarantee and the identity guarantee for the user. In 
other wonds. it becomes possible lor ttie user to commu- 
fucate wHh another user without revealing the own real 3o 
name. telei:^one number, emafl address, etc., to that 
anotfi^ user, and rt also becomes poss&le to d'sdose 
the disck>sed information to unspecified many through 
the ADS 7 as will t>e desaii>6d b^ow. 
[0289] The user registers the (fisck^sed information. 3S 
that is an infbnmatton wtvch is SMpposed to have a k^^ 
secrecy compared with ttie personal informatk)n at the 
ADS 7. In tie case of searching the cfi8ck)sed inlonna- 
tion and the registrant AID, the searcher presents the 
Onk ffifbrncrtion attached AID of the searcher and arlM- 4o 
trary search conditions to the ADS 7. The ADS 7 tfien 
extracts the registrant link information attached AID that 
satisfies these search conditions, and generates the link 
specifying l^o-l PAT from the fink information of the 
AID of the searcher and the Hnk information of the AID 45 
of the reg^trant wtio satisfied tfie search conditions, the 
transfer control flag value, and the valicfity period valua 
(029Q] In this Imk specifying 1-to-1 PAT. the transfer 
control flag value and the validity period value are set as 
^iovvnapart(c)of Rg. 34,andt>ysettir)gupthisvaridlty so 
period in advance, it s possible to limit connections from 
tfieserxi^. 

[0291 ] It is also possble to prohit>it connectkms trom 
a thind person who does not have the access right by 
using the transfer control flag ^lue. f4amely. wfien the 55 
transfer control flag vahie is set to be 1, ttie sender's 
AID is authenticated t)etween the SCS 5 and the sender 
according to an arbitrary challenge/response process. 



so that even if tfie sender gives both tt« send«^ AID 
and ttw PAT to arwther user other than the sender, that 
ar«3ther user will not be able to make a connection to 
the regfetrant c& the ADS 7 through the SCS 5. On the 
otherfiand. when the transfer control flag vakie is set to 
t)e 0, no chaQengefresponse process wai be canled out 
between the SCS 5 and the sender, so that if the sender 
gives both tt>e sender^ AID and the PAT to sffiother user 
odier than the sender, that another user also t>e able 
to make a cormec6on to ttie registrant of ttie ADS 7 
through the SCS 5. 

[0292] It is also possble to make a oorviection request 
to the cornmurtortky) network such that a call for wfik:h 
the recf»ent is specified by the link spedfymg 1-to-1 
FW will be received by the redpienrs AID or the 
sender's AID specified by ttie fink in fc Mm alk)n of ttie link 
specifying 1-to-1 PAT In adcfifioa tt is also possft^ to 
refuse receiving calls %vith ttie Iffik specifying 1 -to-1 PAT 
selected k)y ttie rec^ent among calls which are speci- 
fied by ttie Ink spedfying l-to-l n^. tt is also possible 
to cancel the receivHig refusal of the calls witti ttie Snk 
specifying 1-to-1 PAT selected by the recipienL In adcfi- 
tion. as a measure against tfie sender wlx> repeats the 
personal attack usnig a pliffality of sender's AIDS by tak- 
r»g an adv^itage of the anonymity, itispos^etojudge 
ttie kienttty of ttie OD from these plurality of smiei's 
AlDs it is possible to extract that 00) at some prob- 
atxtty. 

VOaOBi Next witti references to Fig. 40 to Fig. 49. ttie 
seventh embodiment of Ihe emaS access control 
scheme aocortfing to the present irwertton wnfl t>e 
descrt>ed indetai. 

[0294] in contrast to ttie sixtti ^rtxxfiment descrdMd 
above wtik;h is (firectad to ttie case wt^e a sender and 
a recipient are set in l-to-l correspondence, this sev- 
en^ enlbocfiment is <&ected to the case where a sender 
and recipients are set in 1-to-N correspondence and a 
generation of a new Snk specifying 140-N mr and a 
content change of ttie exisSng Br^ specifying l-to-N PAT 
can be made by tfie init^tive of a user, simSarly as in the 
second embodiment descrfised above. Here, the sender 
is either a hokter of ttie RAT or a member of the PAT 
Smiilariy. ttie rec^'ent is either a holder of tfie PAT or a 
member of the RAT. 

[0295] As descrS>ed vn the second embocfiment in 
general, a mefTt}ei5h9> of a group communicatk>n (mail- 
ing fist, etc.) is cfianging dynamk^ally so ttiat it is neces- 
sary for a host of the ^oup oommurtication to manage 
iniormation on a point of contact such as td^afione 
mint>er. emad address, etc.. of each memt^ar. (n con- 
trast in the case where it is possible to newty generate 
a 1-to-1 PAT as in the sixtti emtxxfiment tfie n^nage- 
ment of a point of contact is <fiffkx(tt For exam^. it is 
dfTicult to marrage the group collectively, and even if it is 
givei to the others for the purpose of the transfer con- 
trol, ft does not function as an address of tfie groi^ com- 
munication such as mailing list 
[0296] In this seventh embodiment in order to resolve 
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such a problem, it is made possible to carry out a gen- 
eration of a new {ink specif)nng 1 -to-N PAT and a content 
change or the existing link specifying 1-to-N RftT by the 
initiative of a user. 

[0297] First, the defii^on of various Kientificatkms s 
used in this seventh embodiment will be descrbed with 
references to Fig. 40 and Fig. 41 . 
[0298] As shown in a part (a) of Rg. 40. the OID is an 
infornration conri|»ising an arbitrary character string (tel- 
ephone number, ennail address, etc.) according to a ri^e io 
by whk:h the CA 1 can uiiquely identify the user and a 
puUic key. which is signed by the CA 1 . 
[0299] Also, as shown in a part (b) of Fig. 40. the link 
tnformatk>n attached AID is an infiM'mation comprising 
fragments of the OID and their position information, is 
redundant character strings, an SCS inlbrmafion ^ven 
by an arbitrary character string (host name, real domain 
name, etc.) by wNch a host or a domain that is operat- 
ing the SCS 5 can be unk)ueiy identified on the n^vvork. 
and a link Information , wNch is signed by the CA 1 . Note 20 
that the AID may be encrypted at the SCS 5 or the C A 
1. The link tnktrmation is the same as in the sixth 
emixxiiment 

[0300] Also, as shown in a part (c) of Rg. 40. the link 
specifying Vto-N RAT is an information comprising two ss 
or more link infbrmaltons of AIDs, a hokJer index, the 
valkilty perkxi. the transfer control flag, and a PAT 
processing device ident^ter. which is signed usir^ a 
secret key of the PAT processing device. 
[0301] Here,oneofthelinkinfonnatk>nsof AIDsfsthe so 
link infonmatk)n of the holder AID of this PAX where the 
change of tiie tnfbrmatkm contained in the PAT such as 
an additkxi of the Unk information of AID to the PAT. a 
deletkKi of the link infbrmatkm of AID from the PAT. a 
changeof file validty period in tiie PAT, a change of the 35 
transfer control flag value in the PAT, etc.. can be made 
t>y presenting the fink information of the holder AID and 
a corresporvfmg Enabierto the PAT processing device. 
[0302] On the other hand, the link informations of AIDS 
other than the link information of the hoMer AID tf^at are 40 
contained in the PAT are all link information of member 
AIDS, where a change of the informatk)n contained in 
the PAT cannot be made even when the link information 
of the m^Ttber AID and a corresponding Er^ler are 
presented to the PAT processing device. 45 
[0303] The holder index is a numerical data for identH 
tying the fink informatk>n of the holder AID. which is 
defined to take a value 1 when the link infbrmatton of the 
hoMer AID is a top link information of AID in the link 
specifying AID list fomied from the link informatkm of so 
the holder AID and the link informattons of the meniier 
AIDs. a value 2 when the link inft^rrration of the holder 
AID is a second link information of AID from the top of 
the link specifying AID list, or a value n when the link 
infornration of the holder AID is an n-th link information ss 
of AID from the top of the link specifying AID list. 
[0304] The transfer control flag value is defined to take 
either 0 or1 similarty as in the case of ttie link specifying 



1-to-l PAT 

[0305] Thefinkinformation of the holder AID is d^lned 
to be a link information of AID wt^ is written at a posl- 
tkKi of the holder index value in the link specifying AID 
fist. The Bnk informattons of ttie member AIDs are 
defined to be aS the link informations of AIDs other than 
the Inik inlbrnnation of the hoUer AIQ 
10306] The vaikjity period is defined by any one or 
combination of the number of times for wWch the PAT is 
avaSable. ^e absolute time (UTQ by which tt>e PAT 
t)ec»mes mavailable. the ^tjsolute time (UTC) by wfi^h 
the PAT fc>ecomes available, and the relative time (life- 
time) since the RAT becomes avalable until it becomes 
una^labla 

[0307] The Mentifier of a RAT processing devk» (or a 
RAT processing object on 9ie networi^ is defined as a 
serial number of the PAT processing device (or an dis- 
tinguished name of the PAT proces^ng object on the 
network). The seaet key of the PAT processing devce 
(or the PAT processing object on the networl^ is defined 
to be uroquely oorresporvfing tottie idenfifier. 
[0308] Aisa in tt«s second embodiment, an EnaUer is 
introduced as an identifier oorresponifii^ to the AID. As 
shown in Rg. 41. the Enabler is an Information coivpniS' 
Ing a character siring uniquely indcafing ftiat it is an 
Enabler and a lir^ information attached AID itself. whk:h 
is signed by the CA 1. 

10309] Next, the operatkxfis for a generafkm of a new 
Fyvr and a content change of the exis^ PAT wA\ be 
deserted Here, fl>e folkiMfig opeiafions are deHned at 
a secure PAT proc e ss i ng device on Ibe oommtm^afion 
terminal or a RAF pftocessmg object on the CA or on a 
rwtworkwt^ch is property re qu es t ed from the CA(wttich 
wfi alsobereierred to as a RAJprooessaigdevce fiere- 
aflei). These operations are simiiar 10 those of ttie sec- 
ond embodimait descrik>ed dbove so that they win t>e 
descritjed tjy referring to Rg. 10 to Fig. 13 twt it is 
assumed thai each occurrence of AID in Fig. 10 to Rg. 
13 should be replaced by the link information of AID in 
thefoltowing. 

1. Editing of Bnk specifying AID fist: 

A link specifying AID list, which is a list of link 
oTfonmations of AIDs contained in the R^X is edited 
using link information attached AIDs and Enabler. 
Else, the Bnk spec^ng AfD Rst is newly generated. 

2. Setting of the validity period and the transfer con- 
trol flag: 

The valkiity perkxt value and the transfer con- 
trol flag v^ue contained in the RAT are changed 
u^ng a link infomiatk>n attached AID and Enabler. 
Also, a new valkiity perkxi value and a new transfer 
control flag value are set in the newly generated link 
specifying AIDSsL 

[031 Q] A user who presemed the holder AID and the 
Enabler corresponding to this hoMer AID to the PAT 
processing devtee can edit the list of fink infonmtk>ns of 
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AID8 oontajnod in the PAT. in this case, the follcMraig 
procesang rules are used. 

(1) Generating a new PAT (MakePAT) (see Fig. 10): 

The link specifying AID 6st (LAL- s 
IST<(Dnk)hokJer AID | (linl^menr^er AID^. 
(Iink)membef AID^. (linl^nrientoer 
AiDn >) where (Irnl^AIDj^ d^iotes the link informa- 
tion of AID,; is newly generated, and the vaTdity 
period value and the transfer control flag value are io 
set with respect to the generated LAUST. 

(Gnk)AlDA + (linl^lDB + EnaUer of AIDb 

<i>Enablerof AIDa is 

-> LALlST<(tin»^AIDA 1 (linl^AIDe > 

UU.IST<(link)AIDA | (feik)AIDB > + EnaWer of 
AIDa 20 

4- va^Sty perx)d value 

•I- transfer control flag value 

PAr<(!inl^AlDA | (lir^AlDe > 



25 



(2) Merging PATs (MergePAT) (see Fig. 11): 

A plurality of LAUSTs of the same holder AID 
are merged and the validity period value and the so 
transfer control flag value are set w^ respect to the 
merged LAUST 



LALIST<(link)A!DA | (Gnk)AIDBi. (&ik)AtDB2. 



+ LAUST<(lin>^AIDA | (tinkJAIDci. (Bnk)AIDc2, 
> 

+ Enabter of AIDa 

LALIST<(link)AIDA | Oink)AIDei. OinJ^AIDea. 

{lir*)AIDci . {Bnk)AIDc2. 

> 



LALIST<(link]AIDA I (lfnk)AlDBi. (linl4AIDB2. 

(linl^AIDci. ^m^AIDca. 

••••••••> 

<!• Enabter of AIDa -i- valicfity penod value 
transfer control flag value 
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The LALIST is £plit into a phjnalhy of LAUSTs 
Of the same hold^ AID. and the respecfive vaUdfty 
period value and transfer control flag value are set 
with respect to each one of the spa LAUSTs. 

LALIST<(Enk)AiDA I (iir^lDei. (linK)AIDQ2. 

(fink)AIDci. (fink)AIDc2, 

> 

•f- En^er of AIDa 

LALIST<(Bnk}AIDA | (St^AIDbi. (linkJAIDsg. 
> 



+ LALIST<(Bnl^DA | (rtf*)AIDc,. (Bnl^AIDcz. 
> 

LALiST<(Br^AIDA | (link)AIDci. (fim^AIDcz. 
> 

•f Enaialer of AIDa va^fefity period value 

4- tn^i^^ control ftsQ vsAue 

^ PAT<(6n}^AI0A | (finl^AIDci. (Snl4AiDc2. 
> 



(4) Changir^ a holder of a RKT (If ansFWT) (see Rg. 
13): 

The holder AS> of the LAUST is chai^ and 
the loMty period value ar«j the tnansler control flag 
value are set with respect to the changed LAUST 

LAUST<(finl4A0)A I <M)A1Pb > 

+ UU-IST<(fii^4AI0A I (feilOAIDci. (Snl^AIDca. 
••••*•*«> 

4- Enabler of AIDa + Biabler of AIDb 

LAUST<(linl^DB | (6nk}AIDci. 
(nnk)AIDc2. > 

LALIST<(&nk)AIDB | (fir^lDcv {^MDqz* 
> 

-t- Enat^er of AIDb **- validity period value 

+ transfer control flag value 

PAT<(fin)4AIDQ I (Iink)AIDcv (GnkJAIDcg, 
> 



PAT<(link)AIDA | pink)AIDBi. (linJ^AlDeg. 
(link)AIDci. 

'••••••> 



(3) Splitting a PAT (SpfitPAT) (see Fig. 12): 



[0311] In the operation for seitir^ the valicfity penod 
(fink)A}Dc2. 55 value, in order to permit the setting of the validity penod 
value cmly to a user who hoMs lx>th the header AID and 
the corresponding Btabfer. the following operatton is 



defined. 
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PAT<(iink)AIDA | (lir^)AlDB > + Enabler of AIDa 
4- validity period value 

PAT<(link}AIDA | (nnk)AlDB > 

[031 2] In the operation for setting ttie transfer control 
flag value, in oixier to permit the setting of the trans^ 
control flag value only to a user who ho!<te both the 
holder AID and the oorresponding Enabler, the following 
Operation is defined. 

PAT<(link)AIOA | (llnl^AIDB > + Enabler of AIDa 

-¥ transfer oontro! flag value 

PAT<Oinl^/^DA I (Hnl^AIDB > 

[0313] Next, witti references to Rg. 42 to Rg. 48, the 
overall system configuration of this seventh embodi- 
ment wil be described. In Fig. 42. to Fig. 48, the user-A 
who has AIDa aRocated from the CA stores AIDa ^ 
Enabler of AIDa ^ ^ computer off the user-A. and the 
input/output devices such as floppy <fisk drive, CD-ROM 
drive, communicatkm tx>arcS, micrc^3hone, speaker, etc.. 
are connected. Else. AIDa «^ Enabler of AIDa 
stored in a communication termir»] (t^ef^ione. celluiar 
phona eta) wfvch has a storage device and a data 
input/out|Xit function. 

{0314] Similarly, the user-B who has AIDq allocated 
from the CA stores AIDb and Enabler of AIDb in a oonn- 
puter of the user-B. and the input/output devices such 
as floppy disk drive. CD-ROM drive, communication 
board, microphone, speaks, etc.. Bte ownected. E^, 
AIDb and Enabler of AIDg are stored in a oommiffiica- 
tion terminal (telephone, cellular phone, etc.) which has 
a storage de^ and a data input/output function. 
[031 SI In the following, a procedure by which tt>e user- 
A genemtes RAT<(link}AIDA I (link)AIDB > will be 
descrbed. 

(1) The user*A aoqiAres AIDb ^ Enabler of AIDb 
using any of the foOowing means. 

* AIDb Enabler of AIDb ^r^ registered at the 
ADS 7, and it is waited until the user-A acquires 
them as a search result (Fig. 42]. 

* AIDb ^ Enabler of AID^ are drectly transmit- 
ted to the user-A by ^ email. signaTtng. etc. 
(Figs. 43. 44). 

* AIDb Enabler of AIDb stored in a mag- 
netic, optic, or electronic medium such as 
flq3py disK CD-ROM. MO, IC card, etc., and 
this medium is given to the user-A. Else, it is 
waited untS the user acquires them by reading 
this medium (Rgs. 45. 46). 

' AIDq and Enabler of AIDb ^® printed on a 
paper medium such as booK name card. etc.. 



and this medium is given to the user-A. Else, it 
is waited until the usa-'A acquire them by read- 
ing this medium (Figs. 47. 48). 

5 (2) The U8&-A who has acquired AIDb and Enabler 
of AIDb by any of tfie means described in the above 
(1) ^sues the MakePAT command to the PAT 
processing device. This piocec&ire is common to 
Rg. 42 to Fig. 48, and defmd asfalk>ws. 

10 

(a) The user A requests the issuance of the 
MakePAT command by setting AIDa • Enabler 
of AIDa, AIDb, Enabler of AIDq . the validity 
period vahia and the transfer control fls^ value 

75 into the oommunication lermnial of tfie user-A. 

(b) The oommurvcation temr^nal of the user-A 
generates the MakePAT command. 

(c) The communication tOTiinal of the us»^-A 
transmits the generated MakePAT command to 

so the RAT ptDcessmg device by measns such as 

the email, ^piafirig. etc. (the issuance of the 
Mai^BPAT command^. 

(d) The RAT prooes^ng device geneiates 
RAr<(rtt^AlDA I (TmlOAIDe > t)y processing the 

26 received MakePAT conrvnand aocc^ng to Fig. 

21 and Rg, 49. More specificalty. this is done 
asfoUows. 

4- EraMer of AIOb Enabler Of AIDa 

LALiSt^tnl^iDA I Oi?^ AIDg > 

ss LALiST<(finl^AffiiAt(!m}^AIDB> + Stabler 

of AIDa 

4- validity period value transfer control 
flagvakm 

40 

mr<<lir^AIDA I (lir^AIDe> 

(e) The PAT processrig device transmits the 
g^i^ed RAT<(linlOADA I (link}AIDB > to the 

45 communication termimrt of the user-A. or to the 

corrvnunication terminal of the user-B accord- 
ing to the need, by means such as the email, 
signaling, etc. 

(f) The oommunscafion terminal of the user-A 
60 (or the user-B) stores the received 

PAT<(fink)AtOA | C<i^i<)AIDB > in the storage 
devk;e of flie oomnriunicalk>n terminal of the 
user-A. 

55 [0316] Themergingof PArs(MergePAT. Fig. 21.Rg. 
49). the splitting of a PAT (SplitPAT Rg. 22. Fig. 49). and 
the changing of a hokter of a PAT (TransPAT. Rg. 21. 
Fig. 49} are also carried out by the similar procedure. 
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[0317] The procedure of MakePAT. MergePAT and 
TransPAT is similar to that descrftsed above with refer- 
ence to Rg. 21 . exc^ that the AID should be replaced 
by the lir^ informafon of the AID and the AID list shouki 
be replaced by the Hnk specHying AID list Also, the pro- 5 
cedure of SpitRAT is similar to thai described above 
with r^ence to Rg. 22. except that the AID should be 
replaced by the Bnk infonnation of the AID and the AID 
list shouid be replaced by the link specifying AID ItsL 
[0318] Here, in the procedures of Pig. 21 and Rg. 22, 10 
the link specifying AID list generation is carried out 
accorcfing to Rg. 49 as (bflows. Namely, a buffer length 
is determined first (step S901 1) and a teifler is gener- 
ated (step S9012). Thea the link infonnation of the 
holder AID is copied to a vacant region of the generated is 
buffer (step S9017). Then, the link intormatkm of the 
member AID is copied to a vacant region of the resuttsig 
buffer (step S9018). and if the next marijer AID esdsts 
(step S9015 YES), the step S9018 is repeated 
1031 9] Next, the determination of the link inlbrmation 20 
of the Mder AID will be descrt>ed. Each of the Make- 
PAX the MergePAT. the SplitPAT, and the TransPAT com- 
mands is defined to have two or more argt^ients. vyhere 
AID. PAT. or Enabler can be specified as an argum^. 
In this case, the PAT processng device specifies the link 2s 
Infcmnation of the hoUer AID of the PAT to be outputted 
after executing each oonrvnarKl aooordBng to the follow- 
ing rules. 

* CaseoftheMakePAT: ao 

For the MakePAT command, it is defined that 
AIDS are to be specffied for the first argument to the 

N-th angument(N = 2. 3. ) and Ena- 

tters are to be spedTied for the N+1-th and subse- 
quent arguments. For example, they can be ss 
specffied as lblk>ws. 

l^kePAT AIDi. AIDg. AID,^. 

Enabler of AID^. Enabler of AID2. 
, Enabler of AID^ 40 

The PAT processing devfce interprets the link 
information of AID of the first argument of the Make- 
PAT command as the link information the holder 

AID. 45 

Only when one of the Enablers of the N^1-th 
and subsequent arguments conresporeds to the AID 
of the first argument, the PAT processing device 
specif tes the link infcmnation of this AID (tfiat is the 
Bnk information of the AID of the first argumenQ as so 
the link information of the holder AID of the PAT to 
be outputted after executing the MakeBAJ com- 
mand. 

* Case of the MergePAT: 

For the MergePAT ocOTimand, it is defined that ss 
PATs are to be ^lecffied for the first argument to the 
N-th argument (N » 2. 3. ) and Ena- 
bler IS to be q;>ecified for the N+l-th argument 



(slamely. they can t>e specified as folfovvs. 

MergePAT PAT, PATg PAT^ Ena- 
bler of AID 

The PAT processing devk^e interprets the link 
tnfonmatk)n Gf the hoMer AID of the PAT of the fr^ 
argument of the MergePAT command as the link 
tnfbnTiatk)n of the holder AID of the PAT to be out- 
putted after exeoding the MegePAT oommarvl. 

Only when the Enabler of the IM+1 -th argument 
corresponds to the holder AID of the PAT of the frst 
argument the PAT processing device specifies the 
link inf on nat io n of this AID (that ts the link informa- 
tkxic^ the hokter AID of the PAT of the first argu- 
ment] as the Snk information of the hokler AID of 
the PAT to be outputted after executing the Merge- 
PAT oommarxi. 

* CaseoftheSpGtmT: 

For the SpiitW command, d is defined that 
PAT is to be specified fn- the first argimient a s^ of 
one or more AIDs grouped togeifier by some pre- 
scrfoed symbols (assumed to be parentheses 0 in 
this example) are to be specified for the second 
argument to the argument (N » 3. 4. 

). and Enabler is to be specified for 

the N+1-th argument Namely, they can be speci- 
fied as fofiows. 

SpftPAT PAT, (AIDnO (AIpz, AIDgz) 

(AIDni AIDn2 

AIPmm) Enabler of AID 

The PAT processing device interprets *ie link 
intonnatfon of ^ hokter AID (4 the FVVr of ttie first 
crgiffn^ of the SplitPAT command as ttie lir^ infor- 
nretksn d the holder AID of the PAP to be outputted 
after executing die SpGtPAT oomm^Kl 

Only when the Enabler of the f^l^ argument 
corresponds to the fiolder AID of the PAT of the first 
argument ttie PAT processing device specifies the 
link information of this AID (that is the link informa- 
tion of the hokler AID of the PAT of the f rrsl argu- 
ment} as the fink mfonnagcn of the AID of 
the PAT to be outputted after execi^ the SpfitPAT 
command. 

* CaseoftheTransR^T: 

For ttie TransPAT command, it is defined ttiat 
PATs are to be specified for the first argument and 
the second argument, an AID is to be specified for 
the third argument and Enat^ers are to be speci- 
fied for the fourth argument and the fifth argument 
Namely, they can t>e specified as folfows. 

TransPAT PAT^ PAT2 AID Enabler of AID^ Ena- 
bler of Alpg 

The PAT processing device interprets ttie link 
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information of AID of tlie third argument as the link 
information of the hdder AID of the PAT to be out- 
putted after executing the TransPAT command pro- 
vided that the fink information of AID of the third 
argument of the TransPAT command is contained in 5 
the RAT of the second argument 

Only when the EnaUer of the fourth argument 
corresponds to both the PAT of the first argument 
and the PAT of the second argument and the Ena- 
Wer of the fifth argument corresponds to the AID of ic 
the third argument the PAT processing device 
spedftes the link information of the AID of the third 
argument as the link information of the holder AID 
of the PAT to be outputted after ^ecuting the Trans- 
PAT command. is 

Next the determination of the Rnk informations 
of the member AlDs wilt be described The defini- 
tfons of the MakePAT the MergePAT the Sp&tPAX 
and the TransPAT commands are as desalDed 
abc^e. TTie PAT processing device specifies the fink 20 
informations of the member AIDs of the PAT to be 
oulpufied after executing each commarxj according 
tomefotkMringnies. 
CaseortheMakePAT: 

Only when the link information of the holder 21s 
AID of the PAT to be outputted after executing the 
MakePAT oonrvnand formally d^ermined, the PAT 
proc^ng lieAce interpr^ at) the link infonna- 
tfons of the AiDs of tfie second and subsequent 
arguments of the MakePAT ccmmand as the trik so 
informations of the member AIDs of the PAT to be 
outputted after executing the MiteRAT convmmd. 

TTie FWr processing denoe specifies only the 
Gnk informations of those AIDs among all the AIDs 
of the second and siiDsequent ar^ments wtM ss 
conespond to the Enabiers specified by the -th 
and sutssequent arguments as the link informations 
of the member AIDs of the PAT to be outputted after 
executing the MakePAT command. 
Case of the MergePAT: 40 

Only when ^ link in far ma tfon of the holder 
AID of the PAT to be outputted after executing the 
MergePAT command is formally determined, the 
PAT processing de^rice specifies the link infonna- 
tions of the member AIDs of all the PATs specified 45 
tjy the first to N-th arguments of the MergePAT as 
the link informations of the member AtDs of the PAT 
to be outputted after executing the MergePAT oonv 
mand. 

Case of the SplitPAT: so 

Or^ when the link information of the holder 
AID of the PAT to be outputted after executing the 
SplitPAT command is formally determined, the PAT 
processing device specifies the link information of 
the memt)er AID of the FOT specified by the first 55 
argument of the SplitFWr command as the link infor- 
mation of the member AID of the PAT to be output- 
ted after executing the SplitPAT command. At this 



point, the link informations of the member AIDs are 
<fistra>uted into different PATs in units of parentlie- 
sesO For example, in the case of: 

SplitPAT PAT (AID^i) (AtDgi AID22) 

(AIDhi AI0n2 

AIDrauO En^eroTAID 

the link in fottnation s of (AtOi^), (AID21 AID22) arxl 
(AIDn^ AIDn2 • • • AIDnm) will be the fink infor- 
mations of the member AIDs of <jBfferent RATs having a 
common Gnk intonnatkm of hoMer AID. 
* Case of TransPAT: 

Only when the Br^ infonmatton of the hokSer 
AID of the PAT to be oulputted after executing the 
TransPAT command is fornrBfly deterrrined, the PAT 
processirig device specifies afi the link krformations 
of the m&rb& AIDs remaining after excluding the 
fink infiCMmatfon of the member AID that is sched- 
uled to be a new holder AID from afl the ^k infor- 
mations of tfie member Aff>s of the PAT specTied by 
tfie fast Bxgumeri of the TiansPAT oonan a nd and 
the fink i n fa i ma U oiis of Ihe member AIDs of the PAT 
specified by the second argtmient as the link infor- 
matois of the member AIDs of the RAJ to be out- 
putted after executing the Tr^mPAT command. 

The verifcation of ttie propemess of the Ena- 
tiet rn ttas seventh entocfiment fs the same as 
described above with reference to Rg, 24. Also, this 
verifk:afion of the prapemess of the Enabter is com- 
mon to VttB MafceRAI^ "flie itecgefW^ tfte SpfitRAT 
andtf>eTfSBisPAr. 

10320] Next the e^lHh eotecfiment oi the email 
access control scheme aooofding to Oie present inven- 
tion t>e described in d^L 
10321] IntNsetghttierrtxxfimenttheOIDisgivenby 
a real email address. 

\p32Zl The PAT is an informatfon comprising two or 
more real email addresses, the hokler index, the vafidi^ 
period, tfie transfer oomrol flag and the RAT processnig 
devfoe identif ter (or the Identifier of the PAT processmg 
obiect on the netwcsi^. which is signed using a secret 
key of the RAT processing device (or the PAT processing 
object c»i the netwt^. 

[0323] Here, one of the real email addresses is a 
holder email address of trts PAX where tiie change of 
the tnfonnation contained in the PAT such as an adcfition 
of email address to the PAT. a deletion of email address 
from the RAT, a change of the valkfily perfod in the PAT. 
a change of the transfer control flag vahje in the PAT. 
eto., can t>e made by presenting tine holder email 
address and an Enabler oontair&ng the hotoer email 
address to the PAT processing device (or the PAT 
processing ot^ect on the network). 
[0324] On the other hand, tiie email addresses other 
than the hokter email address that are contained in the 
RAT are all member email addresses, where a change 
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of the info r mati on contained in the PAT cannot be made 
even when the menriMr email at^ress and an Enabler 
containing the member emafl address are presented to 
the R^T processing d&iice (or the PAT i^oces^g object 
on the networ)^. 5 
(0325] The holder Mex is a ni^neriGa! data for identi- 
fying the holder email ^idresB, which is d^ined to take 
a value 1 when the hokjer emad address is a top email 
address in the email address Rst formed from the hoWer 
email adc^ess and the member email ackiresses. a io 
value 2 when the holder email address is a second 
eneil address from the top of the email address list, or 
a value n when the holder email address is an n4h email 
a<kiress frcmi the top of the email address Dst 
[0326] The transfer oontrof flag value is defined to take is 
eittierOorl. 

[0327] The hcHdereiTail address is defined to be a real 
email scklress which is written at a position specS'ted by 
the holder index in the emai\ address fist The member 
email addresses are defmed to be all the email 20 
addresses other than the holder emaB address. 
(0328] The validity period is deTined by any one or 
con*ination ol the number of tin^ for which the PAT is 
available, the ateolute time (UTQ by which the PAT 
becomes unavaBable. the absohite time (UTC)t^ which 2S 
the PAT thecomas available, and the relative time (life- 
time) since the PAT becomes avaflable until it becomes 
unavailable. 

[0329] The identifier of the PAT processing device (or 
the PAT processing objiBct on the network) is defined as so 
a serial number of the PAT processffig device (or an dte- 
tinguished name of the PAT processing object on the 
n^wort^. The secret key of the RAT pnxessing de^ce 
(or the PAT processing object on ttie network) is defined 
to be uniquely corresponc^ to the idemif ier. S5 
[0330] AIsol in this eighth embodiment an Enabler is 
defined as an kientifier corresponding to the reed email 
address. The Enabler is an information comprising a 
character string uniquely ind^ating that it is an Enabler 
and a real email address itself, which is signed using the 40 
secret k^ of the PAT processing dwicB or the RAT 
processng object on the network. 
[0331 ] The generation of the PAT in this e^hth embod- 
iment is carried out as foUows. 

[0332] Here, a <firectory will be described as an exam- 4s 
pie of the PAT processing object on the network. The 
directory manges the real emai address and the <fis- 
dosed infamation of the user In correspondence, and 
outputs the PAT upon receiving the search conditions 
presented from an arbitrary user. so 
[0333] The user transmits the real ^ail address and 
the search conditions to the directory Then, the direc- 
tory aoqusres all tiie real email addresses whch 
uniquely correspond to the disclosed information that 
satisfies these search conditions. Then, the directory ss 
gen&ates a real email address list from the real email 
address of the user who presented the search condi- 
tk)ns and all the real email addresses acquired as a 



search result Then, tfie directory appends the fx>lder 
index value, the vafidrty period value, the transfer control 
flag vi^ue. and the cfistingutshed name of tiie directory 
to the real emai address fist FviaBy. the directory signs 
tiie resulting data ussig a seaet key of the directory; 
and tr ansmte it as the RAT to tfie vs& «4h} presented 
the search condHions. 

[0334] Next the ema9 access control in tiiis eightii 
emtxxiiment is carried out asfolk)wa 
[0335] The sender specifies tiie real emafl address of 
the sender in From: line, and *XPAr]@[real domain of 
sender]" in To: line of a ma3. 

[0336] The SCS acquires an email rectived ty an 
MTA (Message Tranter Agent) such as SMTP (Simple 
Ma9 TrarsSer Protocol), and carries out the authentica- 
tion tjy the foyowing pfDcedure 

(1) The signatu^e ol the PAT is verified using tfie 
publk;keyafthePAT 

Wh^ the RAT is fotmd to have been altered, 
tfie emaH is dtscaided end the proc es s in g is temni* 
natedl 

When the RftT is found to have l>een n(A 
altered, the fodowsig p roc e ss ir^ (2) is executed. 

(2) The search is carried out t)y presenting 9ie 
sender^ real emait address to the PAT. 

When a real emait address that completely 
matches with the sender^s real email address is not 
oontamed in the RAX the ernedl is (Sscaided and the 
processing islerninatBd. 

Wh^ a real ennd address that corrpl^ely 
matches with tfie sender^ real emai address is 
corttamedinlheRAT.theMowii^pfT>cessir^(3} is 
^focutod 

(3) The vafidity period value of the PAT IS evakated. 

When the Rffif is oi^side the vaficfity perkx). fhe 
em^ is <fiscarded and ttie processir^ is tenrn- 
nated. 

When the PAT is withki the vaftfity perkxi, the 
following processng (4) is executed. 

(4) Whetfier or not to auth&iticate the sender is 
detem^ned by r^erring to the transfer control teg 
value of the RAT 

When the value is 1. the challenge^esponse 
autiiOTtication between the SCS and the s&Kiet is 
carried out and the signature of the sender is veri- 
fied. When the signature is vafid, the recqxent \s 
specified and the PAT is attached. When the signa- 
ture is invafid. the emaH is discarded and the 
processing is terminated. 

W^ten the value s 0. tiie recpient is specified 
arxf the PAT is attached witiiout executing the chal- 
lenge/response autinerrtication. 

[0337] An exen^ary challenge/response authentica- 
ti<vi between tiie SCS and tiie sender in this eight 
embodiment can be carried out as follows. 
[0338] First, tiie SCS generates an artxtrary informa- 
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tion such as a timestanp, for example, and transmite 
the generated information to the sender. 
C0339] Then, the sender generates the secret key and 
the put)lic key. signs the received information using the 
secret key. and transmits rt afong with the pubfic key. 
[0340] The SCS then verifies the signature cf the 
recdved infonmation usir^ the put)lic k^ presented 
from the sender. When the signature is valid, the recipi- 
ent IS specified and the PAT Is attached When the sig- 
nature Is invalid, the email is discarded and the 
processing is terninated. 

(0341 ] The specifying of the recipient and the attach- 
ing of the PAT at the SCS in this ei^ith embodiment can 
be canried out as foifows. 

[0342] Brst, the SCS carries out the search tsy pre- 
senting the sender's real email address to the PAT. so as 
to acqinre all the real email addresses which do not 
completely match the slider's real enail address. 
Then, ^1 these acquired real email addresses are spec- 
ified as recipient's real &nail addresses. 
[0343] htext the SCS attaches the PAT to an artMtrary 
positfon in the emaa in order to transmit the RAT to all 
the recfsienrs emaa addresses so as Id be able to real- 
ize the bidirectional communications. Finafly, the SCS 
gives the email to tte MTA 

10344] The receiving refusal with respect to the PAT at 
the SCS in this ei^ith embodiment can t>e carried out 

asfoifows. 

[0345] Rec^ving refusal setting: The brdirectfonal 
authenticatton is carried out by an aitxtrary means 
between the user and the SCS 5. Then, the user trans- 
mits a registration command, hsAier own real email 
address, and aibtlrary PATs to the SCS 5. Then, the 
SCS 5 next verifies the signature of each received RW 
using a (xdsiic key of the AOS. Those PATs with the 
invalid signature are discarded by the SCS 5, When the 
signature is valid, the SCS 5 canries out the search by 
presenting the received real email adcfi-ess to each PAT. 
For each of those PATs which contain the real email 
address that completely matches with the received real 
emaii address, the SCS 5 presertts the registration conv 
mand and the RAT to the storage device such (hat the 
PAT is registered into the storage device. Those PATs 
which do not contain the real email address ttiat com- 
pletely matches with the received real email address 
are discarded by the SCS 5 without storing them into 
the storage device. 

[0346] Receiving refusal execution: The SCS 5 carries 
out the search by presenting the PAT to the storage 
device. When a PAT thai completely matches the pre- 
sented PAT is registered in the storage device, the mall 
is discarded. When a PAT that completdy matches the 
present PAT is not registered in the storage device, the 
mailisnotcfiscarded. 

[0347] Receiving refusal cancellation: The k>idirec> 
tfonal authentication is can'ied out by an arbitrary 
means between the user and the SCS 5. Then, the user 
presents his/her own real email address to the SCS 5. 



Then, the SCS 5 next presents the presented real emal 
address as a search concfitkxi to ttie storagedevice and 
acquire aQ the PATs that contain the presented real 
email adci^ess. and then presents all the acquired PATs 

5 to the user. Then, the user selects ait the RATs for wtuch 
the receiving refusal is to be cancelled fay referring to all 
the PATs presented from ^ SCS 5. and transmits all 
the selected RATs atong wrth a deletion command to the 
SCS 5. Upon receiving the deletion command and ail 

10 the PATs for which the recaving refusal is to t)e can- 
celled, tfie SCS 5 presents the deletion conrniarxf and 
all the PATs received from the user to the storage 
device, such that aH the received PATs are deleted from 
the storage device. 

15 [0348] The editing of the PAT in this aghth entedi- 
mant can be carried out as foflowa 
10349] TheMakeRAT.theMergePArtheSpTftPAr.and 
the TransPAT processings for the PAT using real email 
addresses as its elements can t^ obtained from the the 

20 MakePAT the f^ergePAT. ^e Splitf^. and the TransPAT 
processings for the PAT using AIDs as its elements 
descriied above, by replacing the AID t)y the real email 
address and the Enabler of AID by the En^erof real 
^na9 address. 

25 [035Q] A Null operator is an information comprising a 
data which is ura<^y Incficating that it is f^ll and whksh 
t)as a format of the real emad addr^. wtiich is signed 
by the secret key oA tie PAT processing device or ttie 
RflJ pitx^ssing cfa^ on the netw»k 

90 I0351I Sirnlaly, the God operator is an iitomal io n 
oomprisirig a dato %vt«ch is uniquely indicating 
God and which tias a format of the raatf emaS address, 
wtiich is signed by the secret key of the RAT processing 
device or ttie RAT p iooesang object on ttie rietwortc 

35 0)352] The BnaSaHer of Nufl operator is an tnformatfon 
comprising a 6ata wtiich is urvquely indies^ that it is 
Enable and tfie fsMt operator itseff, which is signed k>y 
the seaef k^ of the PAT processing devtee (v the PAT 
processing ofcject on the n^work. 

4C [035^ The processffigs invdving tfie Null operator 
and the Qod operator can be olstained from the 
processings for the PAT using AlOs as its elements 
descra^ed at)ove. tsy replacing the AID the real enail 
address, the Enable of AfO by the Enat^er of real email 

45 address, the hkjll-AID by the UuW operator, the God-AID 
by the God operator, and the Enabler of Null-AID by the 
Enabler of Null operator. 

[p354] As described, according to the present inven- 
tion, a PAT is used for verifying the access right of a 

so sender and the email access control among usoib is 
carried out when the verification result is valid, so that it 
becomes possit^le to disclose the information indicative 
of characteristics of a user while concealing the tnje 
identification of a user and canying out communications 

55 appropriately according to this disclosed information 
while preventing conventionally possible attacks from a 
third person. In addition, even when a rec^'ent receives 
an attack from a sender who malicfously utilizes the 
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anonymity, dansges of a recipient due to that attack 
can be minimired. 

[0355] Also, acoofding to ttie present invention, ttie 
generation and the cxMitent change of the personaGzed 
access ticket can be made by the initiative of a user by 
using an AID assigned to each user and an Enabler 
deftfied in oone^ndence to the AID. so ttiat rt 
becomes possible to appropriately manage information 
such as that of a point d contact of each meni^of the 
group commurocation (mailing fist etc.) which changes 
dynantotly. 

[035q Msok accofding to the present invention, a Nidt- 
AID and an Enabler of Null-AID can be introduced in 
order to cany out the generation of a new PAT (Make- 
RAT) and the merging of PATs (MergeRflT) without giv- 
ing the member AID and the Enatster of tfie memb^ AID 
to the holder of the RAT so that it becomes poss&)le to 
present the preterding using the mmber AID. 
(0357] Also, according to the present invention, the 
NuH-AlD can be used only as the hoktor AID of the FVO* 
(the h&iS-AID cannot be used as tfie member AID), that 

is PAT<AIDNua I AID^rt)en, AlD^^se^. 

AlD,„embefM > ^ allowed, but RAr<AIOhoklef I AIDmud. 
M^momb^n- AIDm9mbor2. • AIDn,^„»5ert4 > 

is not allowed, so that the hoWer of RAT<AIDhoWer I AID- 
member > Cannot produce PAr<AIDNug I AIDm«nbor > 
from thfe RAT<AIDj,oy^ 1 AID^^j^r > *® •o^Q as the 
holder does not kTKMr Enabler of AIDrnofnber 
ptSSq Also. e»corcGng to the present invemion. a 
God-AID can be introduced in oider to set up a read 
only atlnbute to the PAT. so ttial it becomes possible to 
fix the participants in the group conmjnication. 
[0359] Also, according to the present invention, the 
link information lor uniquely specifying the AID can be 
introduced and the PAT can be giv^ in terms of the link 
information such that the PAT does not contain the AID 
itselt so that it becomes possible to reafize the receiving 
refusal function wittiout using the AID itself. 
[0360] It is to be noted that besides those already 
mentkxied above, many modifications and variations of 
the above ^nbcdiments may be made without depart- 
ing from the novel and advantageous features of the 
present invention. Accordir^ly, all siich modifications 
and variatk>ns are intended to be included within the 
scope of the appended daims. 

Claims 

1. A m^hod of erreil access oontrd, corrpnsing the 
steps of I 

receiving a personalized access tick^ contain- 
ing a solder's td^itificatkin and a recftienTs 
identification in conespondence, which is pre- 
sented by a sender who wishes to s&id an 
email to a recipimt so as to specify the recipi- 
ent as an intended destination of the email, at a 
secure c(Knmunicatk>n service for connecting 



communk^ations t>etween Ihe sender and the 
receiver: and 

controlling accesses b^ween the sender and 
the recqsient by verifying ai access r^^ of the 
5 sender with respect to the recipient accoit&ig 

to the personalized axxess ticket at tfie secure 
ccvnmunication servkse. 

2. The method of daim 1. wherein at the controtfirtg 
10 step the sea^e oommunicafion sennce authent}- 

cates the personalized access txtet presented by 
the sender, and refuses a delivery of tfie email 
when the personalized access tktet presented tsy 
the sender has been altered. 

75 

3. The metfKxi of claim 2. wtie-ein the p&scvia&zed 
access tk^ket is signed a secret key of a secure 
processing devKe wftk:h issued tiie personcdized 
access tcket and at the oontrolfing step the secure 

20 communcation servce imtSi^iticates the personal' 
ized access txMelt fay ver^ykig a signature of the 
secure p ro cessi n g devioe in ftie personalized 
access ticket using a pubfic key of the secure 
processing device. 

26 

4. The method of daim 1. wherein at the receiving 
step the secure communicatkxi sennce also 
receives &ie senderls ident ificalw n presented by 
the sender along wnth Hie pereonsfzed aooess 

30 ticket, ctfid at the cm Ui offing step the secure com* 
murocaSon sennoe chedcs whetfier tfie sender^ 
identiQcatksn resented by tfie sender is contained 
in the personalized access tick^ presented t^ tfie 
sender, and refuses a delivenr of tfie email wfi^ 

35 tfie sender^ identification (resented t)y tfie sender 
is not contained in fhe personalized access tk^ket 
presented by tfie slider. 

5. The method of daim 1. wherein the personafized 
40 access t«ket also contains a valicfitypenod indicat- 
ing a penod for whk:h the personalized access 
ticket is vaiti, and at the controlling step tfie secure 
COTimumcation service cfiecks tfie vaSdity period 
contained in tfie pefsoneiized access tkicet pre- 

45 sented by tfie sender and refuses a delivery of the 
emsdl when tfie personalized access ticket pre- 
sented by the sender contains the vaHdity period 
that tes already been eKpn'ed. 

so 6. The mettiod of claim 5. wherein tfie validity period 
d the person^ized access ticket is set a trusted 
tfiird party. 

7. The method of daim 1, further comprising tfie step 

55 of: 

issuing the personalized access tick^ to tfie 
sender at a directory sendee tor managing an 



40 



79 



EP0946022 A2 



80 



identifnation of each registrant arKi a <fisdosed 
information of each registrant which has a 
lower seaecy than a personal Infomiatioa in a 
state wtitch is accessitsle for search by unspec- 
ified many, in response to search conditions 
specified by the sender, by using an identifica- 
tion of a registrant whose disclosed information 
matches the search ooncBtions as the redpi- 
enrs tdentiTtcation and the sender's identifica- 
tion specffted by the sender along with the 
search conditions. 

8. The method of daim 1. further comprising the step 
of: 

registering in advance ttie personalized access 
ticket containing an identification of a specHic 
user from which a delivery of emails to a spe- 
cific registrant is to be refused as the sender's 
identification and an identification of the spe- 
cific registrant as the recipient's identificaton. 
at the secure comntunication service; 
wtierein the controlling step the secure conv 
muntcation servioe refuses a deGvery of the 
email from the SOTler when the personalized 
access ticket presented by the sender is regis- 
tered therm in advance at the registering step. 

9. The method of datmS. further comprising the step 
of: 

deleting tie personalized access ticket regis- 
tered at ifie secure communication service 
upon request from the specific registrant who 
registered the personalized access ticket at the 
registering step. 

10. The method of daim 1, wherein the perscmitzed 
access ticket also contains a transfer control flag 
Micating whether or not the sender should t>e 
authenticated by the secure oonYnunication senf- 
ice, and at the contrdling step, when the transfer 
control flag contained in the personalized access 
ticket indicates tiiat the sender should be authenti- 
cated, the secure communication service authenti- 
cates tiie servier's iderrtification presented by the 
sender and refuses a delivery of the email when an 
authentication of the sender*^ identtfk»tion fails. 

11. The method of daim 10. wherein the autiientication 
of the sender'g identificatton is realized by a chal- 
lenge/response procedure between the sender and 
the secure communication service. 

12. The method of daim 10. wherein the transfer con- 
trol flag of the personalized access ticket is set by a 
trusted third party. 



13. The method of daim 1. wherein the sendei's identi- 
fication and the redpi^s kientification in the per- 
sonalized access ticket are given by real email 
addresses of the sender and the recipient 

5 

14. The method of daim 1, whereni the sender's klenti- 
ficafion and the redpienfs identification in the per- 
sonalized access ticket are given by anonymous 
identifksations of ttie sender and the redpient 

10 wtiere an anonynxxjs ident^icatnn of each user 
contains at least one fragment of an ofHdal identif 1- 
catk)nof each user by wttich each user is unkiuely 
identifi£d3le t>y a certificafion authority. 

/5 15. The method of daim 14. wherein the anonymous 
identification of each user is an information contain- 
ing the at least one fragment of tiie official identifi- 
cation of each user wttich s signed by the 
cert^kation autiwrity uskig a secret k^ of the cer- 

20 tifkation author!^. 

1& The memod of daim 14, wherein theoRk»al ktenti- 
fcalkm of each user is a chev^er string urequefy 
assigned to each user by the oertffkation auttiority 
25 andaputalickeyof eachuserwftich £tresignedbya 
secret key of the certification authority. 

17. The mettiod of daim 14. fiiriheroomprfSfng ttie step 
of: 

30 

probabiisficaliy identifying an idoitity of tt>e 
sendee tiy feoonstn^ting tfie official identsf ica~ 
tion of tfie sender t)y ju(^nig iden^ of a pkral- 
fty of anonymous identgcafions of the sender 
35 contaffiedeiapturali^ofpersonafoedaccess 
tkd«els used by the sender. 

18. The method of daim 1, wherein an anonymous 
Uentification of each user that contains at least one 

40 fragment of an oifk^l kJentif kation of each user 

whk:h each us^ is urvqueiy ktentif iable by a oertif i- 
catkyi authori^ and a link information of each 
anonymous identification tsy wtik^h each anony- 
mous identtfication can be uruquely identified are 

45 delined. and the sender's idaitification and tiie 
recipient's kientifkation in the personalized access 
tid^ are given by a link information of tiie anony- 
mous Mentif ication of tiie sender and a lir^ informa- 
tion of the anonymous kfentifcation of the recipient 

60 

19. The method of daim 1 . wherein the link Infbrmation 
of each anonymous identifk^ation is an kJentifier 
unk^uely assigned to each anonymous tientrfica- 
tion t>y the certification auttiority. 

55 

20l The mettiod of daim 18. further comprising the step 
of: 
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p robai}ilisticaIly identifying an identity of the 
sender by reconstajcting the officidl identifica- 
tion of the sender by jud^g identity of a plural- 
ity of anonynmjs identifications ol the sender 
conrespondffig to the link information contained 
in a plurality of personalized access tickets 
used by tie sender. 

21. *nie method of ctaim 1, wherein the personalized 
access lick^ contains a single senders identifica- 
tion and a single rec'Q)ienrs identSicalion in l-to-l 
oonespcvidertte. 

22. The method of claim 1 , wh^ein the personalized 
access ticket contains a single sender's id^itifica- 
tion and a (^uratity of recipient's identifications in 1- 
to-N correspondence, where N is an integer greater 
than1. 

23. The method of daim 22. wherein one identSicatitm 
among the single sender's stentSk^ation and the 
pluraiiiy of redptenl^ identiftcat»ns Is a holder 
identification for klentifying a hokter of the persorah 
ized access tk:ket while other identifications among 
the single sender's idsitification and the plurality of 
recpent's kientificaUon s are member kjentiftca- 
tions for klentHying members of a group to wNch 
thehokier belongs. 

24w The method of daim 23. further comprising the step 
of. 

issuing an identifk^ation of each us^ and an 
enabler of the identification of each user indi- 
cating a right to cfiange the personalized 
acc e ss ticket containing the identification of 
each user as the holder identification, to each 
user at a cert9k;atk>n authorityr such that pre- 
scrft)ed processing on the persona&zed access 
ticket can be carried out at a secure prooessng 
device only by a user who presented both the 
hokier identifkation contained in the persor»i- 
ized access ticket and tie enatHer correspond- 
ing to the hoMer identification to the secure 
processing devk;e. 

25. The method of dakn 24. wherein the certification 
caithority issues the enabler of the identification of 
each user as an information indk»ting that it is the 
enabla- and the identifk:ation of each user itself 
whk^h are signed by a secret key of the certification 
authority. 

26. The method of daim 24. wherein tfie prescribed 
processing indudes a generation of a new person* 
alized access ticket, a merging of a plurality of per- 
sorolized access tickets, a splitting of one 
personafized access ticket into a plurality of person- 



alized access tickets, a changing of the hoUar of 
the personafized access tk:ket chan^ng of a vaOd- 
fty penod of the personafized access ticket, and a 
charging of a transfer oontrd flag of the personal- 
5 ized access tktot 

27. The metitod of daim 26. whereoi a special kfentifi- 
cation ajid a special enabler corresponcting to the 
special kientifk:afion wfuch are known to all users 

70 are defned such that the generation <^ a new per- 
sonalized access tkiket and the danging of the 
hokter of the personalzed access tid<et can be car- 
ried out kyy the hokler of the personafized access 
ticket by using the spedal klentifk;ation and the 

IS special er^er witfiout using an enaijAef of a mem- 
ber klenfif kalk)n. 

28. The method of daim 27. wherein the spedai kienti- 
fication is defined to t>e capable of t)^ng used only 

20 as the holder ident^ication of Uns personalized 

29l The method of daim 26. wherein a spedal k^entifi- 
cat»n whk:h is known to all users is defined such 
2S that a read only attrbutecsffi be s^ to the personal- 
ized access ticket by using the spedal identifka- 
tion. 

sa The method of daim 1. wherein at the controOing 
30 ste|x v4ien the acoess nght of tfie sender with 
resped to ffie rec^aient 's v^Tied aooofdir^ to the 
personafized access ticket tti6 secure commuTttca- 
tion sennce tales out the recipients ki&tSKaHon 
fran fhe personafized access ticket t)y usmg the 
35 senders identification (K'eeented the sender, 
converts the meSi by using a taken out reqpienfs 
identification into a format ttiat can be interpreted 
by a noail transfer function for actually carrying out a 
maa delivery processing, and gives the mail after 
40 conversfon to ftremaO transfer function by attaching 
the perBMialized acoess tickBt. 

31 . A method of CTiail acoess control, ooirqy ising flie 
steps of: 

4S 

defining an off idaJ identif icatk»i of each user bf 
which each user is wtquely kl^itiftatile by a 
certification authority, and an anonymous klen- 
tification of each user containing at least one 
50 fragment of the offidal kj&itification: and 

identifying each user by the anonymous identi- 
fication of each user in cornmunications for 
emails on a communication netYvork. 

55 32. The method of daim 31. wher^n the anonymous 
identifkation of each user is an infomfiation contain- 
ing the at least one fragment of the offk:ial 'dentifi- 
calfon of each us^ which is s^ned by the 
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certiftcation authority using a secret Key of the cer- 
tSication auttiority. 

33. The method of daim 31, vwherein the official identi- 
fication of each user is a character string uniquely s 
assi^ed to each user by the certification authority 
and a putjfic key of each user wfdch are signed by a 
seaet key of the certification authority. 

34. The method of claim 31, tjrther comprising the to 
steps of: 

receiving a personalized access ttdiet contain- 
ing a sender's anonymous identification and a 
recipient's anonymous identification in oon^e- is 
spondenoe. which is presented by a s&vi& 
who wishes to send an email to a recipi&it so 
as to specify the redfxent as an intended desti- 
nation of the email, at a secure communication 
service tor connecting communications ao 
between the sender and the receiver; and 
controlling accesses t)etween the sender and 
the recipient by verifying an access right of the 
sender with respect to the redpient acoordng 
to the peiBonaUzed access ticket at the secure ^ 
communication service. 

35. The method of daam 34. furtt)er comprising the step 
of: 

30 

probabinsticaHy identifying an identity of the 
sender at the secure communication sen^ice by 
reoonstmcting the official identification of the 
sender while judging identity of a plurality of 
anonymous identitoitions of the serxJer con- as 
tained in a plurality of personalized access tick- 
ets used by the servjer. 

36. The method of daim 31, wherein the defining step 
also defines a link information of each anonynxws 40 
identif icalion by which each anonymous identif ica- 
tton can be urtiquely identified, and each anoriy- 
mous identification also oorrtains the Trtk 
Information of each anonymous identification. 

45 

37. The method of daim 36, wherein the link informa- 
tton of each anonymous identification is an identifier 
unic;^^ assigned to each anonymous klentifica- 
Won by the certification authority. 

so 

38. The method of daim 36, further compri^ng the 
steps of: 

receiving a personalized access ticket contain- 
ing a link information of a sender's anonymous ss 
identification and a link information of a recipi- 
ent's anonymous identification in correspond* 
ence, which is presented by a sender who 



wishes to send an emai to a recipient so as to 
specify the redpio^ as an intended destination 
of the email, at a secure comfminication serv- 
ice for corviecting communications t)efween 
the sender and the receiven and 
Gontroying accesses between the sender and 
the redpient by verifying an access right of the 
sender witti respect to the recqaient accorcfing 
to the personalized access ticket at the secure 
communication service. 

39l The method of dam 38. further comprising the step 
of: 

^obabilisficalty identifyk^ an kientity of the 
sender t)y reconstructing the off ictal identif ica- 
tion of the sender while jud^g identity of a plu- 
r^ity of anonymous kfent^Katksns of the 
sender conrespondir^ to the link information 
contained in a plurality of personalized access 
tKtots used by tfie server. 

4a A comm u i T icafon ^^stem realizing emafl SKxess 
control, compridng: 

a communication networic fo whk:h a plurality of 
user terminals are connected; €Hid 
a secure cormnur»srik)n service device for 
connecting com mung ations between the 
sender and the receiver on the communlcafion 
n^work, by receiving a personal ize d access 
ticket containing a sender^ identification and a 
recipients idenfificatioii in corre spo ndence, 
which is presented by a sender wtm wishes to 
send an emaa to a redpient so as to specify the 
recpiait as an intended de^nation of the 
emal, and contrdHng accesses between the 
sender and the redpient by verifying an access 
rightof the sender with respect to the recq3ient 
according to the personalized access ticket 

41. The system of daim 40. %vherein the secure com- 
munk^atkMi service devk:e authenticates the p^- 
sonalized access tk:k6t pressed by the sender, 
and refuses a delivery of the em^ when the per- 
sonalized access ticket ixesented by the s^er 
has been altered. 

42. The system of daim 41, further comp ri s i ng: 

a secure processing device for issuing the per- 
sonalized access tk:ket wNch is sgned by a 
secret key of the secure processing device; 
wherein the secure oorrBnunicatfon service 
device authenticates the personalized access 
ticket by verifying a signature ol the secure 
processing device in the personalized access 
tk:kBt using a public key of the secure process- 
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Ing device. 

43. Ihe system of cteum 40. wherein the secure com- 
munication service device also receives the 
sender's identification presented by the sender 
along with the personalized access ticket, checks 
whether the sender^ identif icaiion presented by the 
sender is contained in the p^onafized access 
ticket presorted by the sender. an6 refuses a deliv- 
ery of the email when the sender's identification 
presented by ^e sender is not contained in the per- 
sonalized access ticket presented by the serxier. 

44. Ihe system of daim 40. wherein the personalized 
access tk:ket also contains a vaBdity period indk^rt- 
ing a period tor which the personafized access 
ticket is valkj. and the secure canmunk:ation serv> 
k:e de^ce checks the validity penod contakied in 
the personalized access tick^ pres&ned by the 
sender and refuses a defivery of the email wtien the 
persona&sd access ticket presented by the sender 
contains the vafidity period that has already been 
expired. 

45. The system of daim 44. iurtho-oonpriarig: 

a tnjsted third party for setting the vafidity 
period of the personalized access tk;ket 

46. The system of daim 40. further oomprisng: 

a directory service device for managing an 
identification of each registrant and and a dSS' 
dosed rrformation of each regstrant which has 
a lower secrecy than a personal infonmatk)n. in 
a state which is accessible for search by 
unspecified many, and issuir^ the personalized 
access ticket to the sender in response to 
search conditkxis specified by the sender, by 
using an kfentiTicakion of a registrant whose 
cfisdosed intormaiion matcfies the search ooth 
ditkms as the recipient's identification and the 
sender's idaitification specffied by the sender 
along with the search conditk>ns. 

47- The system of daim 40, wherein the secure conrv 
munication service device registers in advance the 
personafized access ticket containing an kjentif ica- 
tktfi of a specific user from which a delivery of 
emails to a spec^ registrant is to be refused as the 
sender's identification and an identiftcatk)n of the 
specific registrant as the recpent's Id^nification, 
and refuses a delivay of the email from the sender 
when the personalized access tkd<et presented by 
the sender fs regi^ered th^ein in advance 

48. The system of daim 47, where^ the secure com- 
muntcatkin service devk;e deletes the personalized 



access ticket revered therein upon request from 
the spedfk: registrant wtio registered the personal- 
ized «x;es5tk;ket 

5 4a The system of dabn 40. wherein the personalized 
access tkiket also contains a trarcsfier control flag 
indicating wfietfier a* rKyt the sender should t>e 
authenticated the secure communication serv- 
ice, and when the trar^fer contrd flag contained in 

10 the personalized access tk:ket ux fo aa te s that the 
sender shotdd be authentKated. the secure com- 
munication servne d^ioe authentxates the 
sender's identification presented by the sender and 
refuses a deGvery of Ihe emaa when an au^ntica- 

IS tion of the smier'sidentjfkatkm falls. 

50. The system of daim 49, wherein the autf>entk;a&3n 
of the sender's identifkstion is reafized by a dial- 
lenge/response procedure between the sender and 

20 the secure oommiBtettionseivioedevica 

51. The system of d^m 49, ftjrftier coiprising a 
trusted third party for setting the transfer control flag 
of the p&soi£Uized access ticket 

25 

52. The system of c^m 40. whereffi ttie sender's foen- 
tification arxf the recipients ktentifkation in the per- 
sonalized access ^ckel are given by real enrarl 
adt^esses of the sender and Ihe recipient 

30 

53. The system of dGBm 40, further oonpristng! 

a c er ti fic at fo n authority device for issuing an 
anonymous id e r riifimlio n d each user which 
35 contains at least one fragment of an offk^ial 

identirication of each user tsy whk^ each user 
is uniquely identifiable by the certSication 
authority devk^e: 

wherein the sender's kJentfticatfon and the 
40 recipienrs clenfificatfon in the personalized 

access tki«at are given by anonymous identif i- 
cations of tiie sender arKi the recipient 

54. The system of daim S3, wherein the anonymous 
45 kientrfication of each user is an information contain- 

ir^ the at least one fragment of the offidaJ kjentifh 
catfon of each user wtiich is signed by the 
certificatfon authority device using a seaet key of 
the cenifcatfon authority devfoe. 

so 

55l The systm of daim S3, wherein the official klentif i- 
caiion of each user is a charact^ string uniquely 
assigned to each user t>y the certification auttiority 
device ar^ a public key of each user whk:h are 
55 Signed by a secret key of the certiftcatfon authority 
devfoe 

56. The system of daim 53. wfierein the secure oom- 
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munication service device probabiKsticaily identifies 
an identity of the sender by reconstructing the offi- 
cial identification of the sender while judging iden- 
tity of a plurality of anonymous identifications of the 
sender contained in a plurality of personalized 
access tickets used by the sender. 

57. The system of claim 40, further comprising: 

a certtfication authority device for issuing an 
anonymous rdentiftcation of each user which 
contair^ at least one fragment of an ofTidal 
id&itification (A each user by whidi each user 
is miqueiy identifiable by the certification 
aitfhority device and a link information of each 
anonymous ktentification by which each anon- 
ymous identification can be uniquely identified; 
wh^ein the send^-'s Wentiftcation and tiie 
recipient's identTicattai in the personalized 
access ticket are given by a Snk information of 
tiie anonymous identiTKation of the sender and 
a link ir^rnration of tie anonymous identifica- 
tion of tiie recipient 

58. The system of daim 57. vvherein the link informa- 
tk>n of each anonymous kfentification is an identifier 
unic^eiy assigned to each anonymous identifka- 
tion by the certification autix)rify devk^. 

59. The system of daim 57, wherein the secure com- 
munica^ servne device ptobabttistically identifies 
an identity of tiie sender reconstructing ttie offi- 
cial idertifk»tk)n of the sender while ^idgvig ^en- 
tity of a plurality of anonynrKXJS identifications of the 
sender oon-esponding to the Enk intormation con- 
tained in a piurallty of personalized access tickets 
used tsy the serder. 

60. The system of daim 40, wherein the personalized 
access ticket contains a single sender's identif ica- 
tkHi and a single recipienfs kientifk:ation in l-lo-l 
con-espondence. 

61. The system of daim 40, wherein the personalized 
access ticket contains a single sender's dentifica- 
tbn and a plurality of redpient's identifications in 1 - 
to-N Gon^espondence, whm N is an Integer greater 
than1. 

62. The system of claim 61. wherein one identification 
among the single sender's identification and tite 

plurality of recipients identifications is a hokler 
identification for identifying a holder of the personal- 
ized access ticket while other identif icattons among 
the single sender's identification and the plurality of 
redpent's identifications are member identifica- 
tbns for identifying members of a group to which 
the hoMer betongs. 



63. The system of daim 62. tirtiiercompridng: 

a certification autiiority device for issuing to 
each user an identificatfon of each user and an 

5 enabler of the kJentificatfon of each user indi- 

cating a right to change the personalized 
access ticket oontaining ttie identTication of 
each user as the hokjer iden^ication; and 
a secure processing device at which pre- 

10 scrft>ed processing on tfie personalized access 

ticket can be canied out only by a user who 
presented both the hokier Mentifk^ation con- 
tained in tiie per8on£dized access ticket and the 
enabler corresponcSng to tiie hdder identifies- 

IS tion to the secure processing device. 

64. The system of cteim 63. wherein the certifk:ation 
authority device issues the ensdt^ler of the klentif k»- 
tion df each us^ as an information indk;ating that it 

20 is the enabler and tiie kientifcation of each user 
itself which are signed t^ a secret key of the oerttfi- 
cation autfiortty devfoa 

65. The system of daim 63. w^ein the prescribed 
25 processing indudes a gerteration of a new person- 
alized access ticket, a merging of a plurality of per- 
sonalized access tick^. a splittir^ of one 
personafized access tick^ intD a pluatity of person- 
alized access tickets, a changing of the holder of 

30 tiiepefsonaizedacoe8Sfid«tch»igHrigGf a valid- 
ay period of the personalized access ticket and a 
changing of a transfer control flag of tiie personal- 
ized access fickel 

35 66. The system of davn 65. wherein a spedal identifi- 
cation and a spedal enabler correspon^ng to the 
spedal identification wfiich are known to all users 
are defined such that the generation of a new per- 
sonalized access ticket and tiie chan^png of tfie 

40 hokfer of the personalized access ticket can t>e car- 
ried out by tiie hokier of the personalized access 
ticket by using the spedid kfentffication and the 
spedal enabler witiioul usmg an enabler of a mem- 
ber kjentifk:ation. 

45 

67. The system of daim 66. v^erein the special identi- 
fication is defined to be capable of being used only 
as tiie hoUer Mentification of tiie persoiaRzed 
access ticket 

so 

6& The system of deum 65. wherein a spedal identifi- 
cation which is known to ail users is defined such 
that a read only attribute can be set to tiie pesonaf- 
ized access ticket by using tiie special Uentifica- 

55 tion. 

69. The system of claim 40. wherein when tiie access 
right of the sender wHh resped to tiie redpient is 



45 



EP0946022A2 



90 



89 

verified accorrfmg to the personalized access ticket, 
the secure communication service device takes out 
the rec^enfs identification from the personalized 
access ticket by usir^ the s&vier's identffication 
presented by the sender, converts the mail by using 5 
a taken out recQsientis identfftcatkNi into a format 
that can be irrterpr^ed by a mail transfer ftmction 
for actually canning out a mad defivery processing, 
and gives the mail after conversion to the mail 
transfer fimc&on by attaching the personalized 10 
access tki«ei 

70. A commurtication system realizing emaSi access 
control, comprising: 

IS 

a oaUfic d lion authority devnce for defirang an 
official kjentificatk>n of each user by whk^h 
each user is unk^uely identifiable by the cerfii- 
catxsn authority device, and an anonymous 
idenUfication of e^h user which contains at 20 
least one Iragment of the oflk»al identificatkm; 
and 

a communication network on which each us^ 
is Idenmied by the anonymous identificafion of 
each user in communications for emaSs on the 2S 
communication network. 

71. The system of daim 70. wher^ the anonymous 
id e n lirtodli on of each user is an information contain- 
ing the at least one Iragment of the official idenlirh 30 
cafion of each user which is s^ed by the 
certification authaity device using a sea^ key of 
the oertifiGaton authority device. 

72. The systOTi of daim 70. wherein the official identif i- 3S 
cation of eadi user is a cf^«:ter string uniquely 
assigned to each ijs& tyf the certification authority 
device and a pMtc key of each user which are 
signed by a secret k^ of the certtf ication authority 
device. 40 

73. The system of daim 70, turther comprisffig: 

a secure comouinlcation service device for 
oorviectirKi commufdcations between the 45 
serTd& and the receiver the comminication 
network, by receivrig a personafized access 
ticket obtaining a sender's anonymous identi- 
fication and a recipient's anonymous identiTica- 
ticm in correspondence, which is presented by 59 
a sender who wishes to send an email to a 
re(^ient so as to specify the recipient as an 
intended destination of the email, and control- 
ling accesses between the sender and the 
recipient by verifying an access right of the ^ 
servter with respect to the rec^ient accor(fing 
to the personafized access ticket 



74. The system of daim 73, wti«ein the secure conv 
munication savk» devx:e prcbab8is6cally identifies 
an kSentity of the sender by recur fe ti uc ttng the off i- 
dal identification of the serx^ wh^e judging berv 
tity of a pbJiafity of anonymous identificatfons of the 
send9 contuned in a (rfuraSty of personalized 
access &kets used by the sender. 

75. The system of daim 70, wherein the certiftcatk)n 
autfxxity devfoe ato deftnes a link information oi 
each anonymous foentificatfon by which each 
CHior^fmous iden^foation cai t>e uniqu^ identi- 
fied, and each anonymous identification also con* 
tains the 6nk information of each anonymous 
identiffoation. 

76. The systmn of daim 75. whw-ein the Bnk ffifbrma- 
tion of each anonymous identificatiOT is an iderMer 
unk^uely assigned to each anonymous identifica- 
tfon fcsy the certification soillK^Uy de^noe. 

77« The system of d^m 75. forther cornpnsir^' 

a secure communication service device for 
a»inecting convnumcations between the 
s&ider and tiie receiver on the communication 
network. 1^ reoevir^ a personaTized access 
tid^et cm itdtiiwig a fink information d a send^s 
a nonymous idenfification and a fink i iiformati on 
dar e dpto fea norymous kta tfTi c ati on in oor- 
respondenoe. wfvdi is presented by a s&ider 
wtio iMshes to send an emai to a rec^sient so 
as to specify the redpient as soi intended desti* 
rEiUori of tiie emai, £Did oontncdmg accesses 
betwe&i the sender and the recq3ient by venfy- 
ing an access r^ of tfie sender with respect 
to the redpient aocoiding to the personafized 
ac c ess ticket. 

78l The system of daim 77. wtierein the secure com- 
murvcation saivica device probabilistically identifies 
an klentity of the sender by reconstructing the offi- 
cii identifcation of tie sender whBe jud^ng iden- 
tity of a pU^afity of Isik infomiations of anonymous 
identiffoatiorts of the senda- contained tn a plurality 
of personafized access tickets used \jy tiie s^er. 

79. A secure communication service device for ise ma 
communication ^^em realizing &n^l access corv 
trd, comprising: 

a conr^er hardware; ard 
a computer software for cau^g ttie computer 
hardware to connect communicatior^ between 
the sender and the receiver, by receiving a per- 
sonalized access ticket containing a sender's 
identification and a recipient's identification in 
ccnrespondence, which is presented by a 
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sender who wi^es to send an email to a recip- 
ient so as to ^edty the recipient as an 
intended destination of the email, and control- 
Ong accesses betwe&i the sender and the 
recipient by verifying an access right of the 5 
sender with respect to the redplent according 
to the personalized access td<et. 

80. The secure oommunication service device of daim 
79, 10 
wherein the computer software causes the conpu- 

ter haidware to authenticate the personalized 
access ticket presented t)y the sender, and refuse a 
delivery of the email when the p^sonalized access 
ticket presented by the sender has been altered. » 

81 . The secure communication service device of claim 
80, 

wherein the personalized access tid^et is ^ned by 
a secret key of a secure processing device which so 
issued Ihe personalized access ticket and the com- 
puter siEtftware causes the computer handware tb 
auth^cate tfie personalized access ticket by veri- 
fying a signature of the secure processing device in 
the personalized access ticket using a put3lic key of 2S 
the secure processing device. 

82. The secure communication service device of daim 
79. 

wherein the computer software causes the ocmpu- so 
ter fiaidware to also receive the sender's identifica- 
tton presented by the sender atong ¥nth the 
personalized bcc&ss iSxML, check wh^er the 

sender*5 identification presented by the sender is 
contained in the personalized access ticket pre- 35 
sented by the s^er, and refuse a defwery of the 
email when the sender's identification presented t>y 
the sender is not contained ri the personalized 
access ticket presented by the sender. 

83. The secure communication service device of claim 
79, 

wherein the personalized access ticket also con- 
tains a valkjity period indicating a period for which 
the perscmaDzed access ticket is valid, and the 45 
computer software causes the conputer hardware 
to check the validity period contained in the perGon< 
alized access ticket presented by the sender and 
r^use a delivery of the email when the personal- 
ized access ticket presented tsy the sender contains so 
the validity period that has already been expired. 

84. The secure communication service device of claim 
79. 

who-ein the conputer software causes the compu- 55 
ter hardware to regista* in advance the personal- 
ized access ticket containing an identification of a 
specific user from which a delivery of emails to a 



specific registrant is to be refused as the sender's 
identification and an identificatkxi of the specific 
registrant as the redpient's identification, at the 
secure communication service device, and refuse a 
delivery of the email from the sender wh&i the per- 
sonalized access ticket presented by the sender is 
registered at the secure communicatkin service 
device in advance. 

85l The secLve comnuinication servk» device of daim 
84. 

wherein the computer software causes the oorrpu- 
ter liardware to delete the personalized access 
ticket registered al the secure oonvnunication serv- 
k» device ipon recNest from tfie spectfk; registrant 
who registered the personafized access ticket 

88. The seciffe communicetion 8ervk;e dance of ctaum 
79. 

wherein the personalized access ticket also con- 
tains a transfer contrid flag inoicatnigwiiethercMrnot 
ttie si^ider shouM be authenficated by the seove 
communication serv^e device, and when the trans- 
f^ control flag contained in the personaltzed 
access ticket indicates that the sender should be 
authenticated, the computer softwe^e causes the 
ccxTputer hardware to autfienticate tie sender's 
identification presented t>y the sender and rebjse a 
delivery of the en«ul when an aulheriScatian of the 
sender's identification fa^ 

87. Ibe secure conrvnuncation service device of daim 
86, 

wherem the conputer softw^e causes the compu- 
ter haidware to reafize the authenticatoi of the 
sender's identification ttf a diaflenge/iresponse pro* 
cedure between the sender and the secure commu- 
ncation sennce devica 

88. Ihe secure communkation s«ryk» danoe of daim 

wtierein the sender's identificafion and the recipi- 
ent's (dentification in the personalized access ticket 
are given by anonymous idemik^ations of the 
sender and the r^apient. wh^-e an anonymous 
identification of eadi user contains at least one 
fragment of an official identification of each user by 
which each user is uniquely klentiftable by a certifi- 
cation authority, and the conputer software also 
causes the computer hardware to probabilistically 
identify an identity of the sender by reconstructing 
tiie official identification of the sender by judging 
identity of a plurality of anonymous identifications of 
the sender contained in a plurality (rf personalized 
access tickets used by tiie sender. 

89. The secure communication service dance of daim 
79. 
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wherein an ancmynrtus identification of each 
that contains at least one fragment of an official 
identification of each user by which eac^ vs& is 
uniquely identifiable by a certification authority and 
a imk Information of each anonymous identification 5 
by which each anonymous identificatiDn can be 
imiqu^ identified are defined, the sender'^ identifi- 
cation and the rec^ent's identification in the per- 
sonalized access ticket are given by a link 
information cS the anonymous identifKatbn of the 10 
solder and a link infbmiation of the anonymous 
identificaliOT of the rec^^ient and the computa* 
software also causes the conputer handwara to 
probabilistically identify an identity of the sender by 
reconstructing the official identificatbn of the is 
sender by judging rientity of a plurality of anony- 
mous identifications of tfte sender con'esponding to 
the link informatoi contained in a plurality of per- 
sonalized access tk;kets used by the sender. 

20 

90. The secure oomnrunnation service device of daim 
79. 

wherein wh^ tt}e access right of the sender with 
respect to the recipient is verified according to the 
personalized access ticket, tfie computer software 2s 
causes the conrputer hardware to take out the 
recfsient's identifk»tion from the personalized 
access tk:ket by using tfie sender's identification 
presented by the servler. convert the maS by using 
a taken out recqnent'is identification into a format so 
that can be interpreted ksy a mail transfer function 
for actually canning out a maSdefivery processing, 
and give the mail after ocvivi^rsion to the mail trans- 
fer fuTKlion by altacNng the personalized access 
ticket 35 

91 . A secure processing devne tor use in a communi- 
cation system realizing email access control, com- 
prising: 

40 

a computer hardware; and 
a computer software for causing the computer 
frardware to receive a request for a personal- 
ized access ticket from a user, and issue a per- 
sonalized access ticket containing a sender's 45 
identification and a recipient's identifKation in 
correspondence, which is signed by a secret 
k^ of the secure processing devica 

92. A directory service 6eAcB for use in a oommunica- so 
tion system realizing email access oontrol, compris- 
ing: 



personal informalroa in a state wftich ts acces- 
sS^ie for search by unspecified many, and issue 
a perscnafized access tcket containing a 
s&xler's identification and a recipienf s identif i- 
catkxi 01 correspondence, to the sender in 
response to search conditions specffied by tiie 
sender, by using an kientSicainn of a registrant 
wfiose disclosed infonmatkin matches the 
search conditions as the red{»enfs Kl^itifk^- 
tion and the servler's identificatx>n specified t>y 
the serxler along vnth the search concKticuis. 

9X A certification authority devne for use in a convnu- 
nication system rea&dng emaa access omtrol. 
comprising: 

a computer hardware: and 
a computer software for cau^ig the computer 
ftardware to issue to each user an official ider>- 
tifk;atk)n of each user by which each user is 
uniquely ideitfifi^ble by the ceni f ic a tton auttior- 
ity devfee, fflxJ an ai wii y np u s iden lili c afo n of 
each user which contcBns at least one fia^nent 
of the official ktentif icatiOT. 

94. A certification authority device for use in a comnu- 
nicatkxi system reafizing email access control, 
comprising: 

a oomputer hanAivctfie: md 
a computer software for causuig the computer 
haidware to ssue toeach user an xJentrfication 
of each user and an enabler of tie ident g i caffo n 
of eacii user incficating a ngtit to ch^ige any 
personafized a ccess ticket ttiat contains the 
klentffication of ^ch user as a hokjer ident^i- 
catioa where the persnalized access tk:ket 
generally contaffis a sender^ iderrtifcation and 
a plurafity of recipienrs klentifiGatfons in corre- 
spondent^ and one of the sender^ identifica- 
tion and the recifMerd^ identificatfons is a 
holder identif icatfoa 

% A secure processir^ device for use in a contnuii- 
cation system reafizing email access oontrol, com* 
prising: 

a computer harcKware; and 
a conputer software for causing the conputer 
hardware to receive from a user a request for 
presorted proces^ng on a personafized 

access tk^ containing a send^s kfentiftca- 
tion and a pluraGty of recipt^*s identifk:atk>ns 
in correspondence, where one of the sender's 
identification and the recipient's tdentTicatkxis 
Is a holder identifica!k»i, and execute the pre- 
scribed process on the personalized access 
ticket when the user presented both the hoMer 



a computer hardware; and 
a conputer software for causmg tiie computer 55 
hardware to nonage an kientification of each 
registrant and a dscfosed information of each 
registrant which has a kiwer secrecy than a 
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identification oontained in the personalized 
access ticket and an enatsler con'espondhig to 
the holder identification which indicates a right 
to change the personalized access ticket con- 
tatreng the identification of the user as tiie 5 
holder identification. 

96. A conrputer usable medium having computer read- 
able program oode means enixx£ed therein for 
causing a computa- to function as a secure oomnuh ic 
nication service device for use in a communication 
system realizing email access oontroK the compu- 
ter readable program code means includes: 

first compute readable program code means is 
for causing said cotnpiAer to receive a person- 
alized access ftcket containing a serxter's iden> 
tification arxl a recipient's kientification in 
correspondence, whk^ is presented by a 
sender wtio wishes to send an email to a recip- 20 
lent so as to spedfy the recipient as an 
intended destinatkm of the email; and 
second computer readable program code 
means fbr causing sak! computer to control 
accesses k>etweentties0ider and the recipient 26 
by verifying an access rtgtit of the sender with 
respect to the recipient according to the per- 
sonalized access ticket, so as to corviect com- 
munications betwe^ the sender and the 
receiver on the communk:ation networic so 

Sf7. The computer usable medium of daim 96. the sec- 
ond computer readable program code means 
causes said conputer to autiienticate the personal- 
ized access ticket r^-esented by the sender, and 3S 
r^use a delivery of tiie anail when the personal- 
ized access tk:Ket presented by the sender i^s 
been altered. 

98. The oornputer usable medium of claim 97, wherein 40 
the personalized access ticket is signed by a secret 
key of a secure processing device whk:h issued the 
personalized access ticket, and the second compu- 
ter readable program code means causes sakj 
computer to authenticate tiie personalized access 45 
tk^ket by verifying a signature of the secure 
processing device in the personalized access ticket 
using a put>lic key of the secure processing device. 

99. The computer usable madium of claim 96, v^erein so 
the first computer readable program oode means 
causes said computer to also receive the sender's 
identification presented by the sender along ^th 

the personalized access ticket, and the second 
computer readable program code means causes 55 
said computer to check whether the sender's iden- 
tificatton presented by the sender is contained m 
the personalized access ticket presented by the 



sender and refuse a delivery of tiie email when tiie 
senders identifk:ation ixesented by the sender is 
not contained in the personalized access ticket pre- 
. sented by Hie sender. 

lOO.TTie computer usable medum of daim 96. wherein 
the peisonaiized access tick^ also contains a v^kl- 
(ty period indk:ating a period fbr whk:h tfie personal- 
ized access ticket is valid, ard the secorxi computer 
readable pnogram code means causes said compj- 
ter to cfmck the vaGdhy period contasied in theper* 
sonalized access ticket presented by the sender 
andrefuseadeHveryofthe enctHwfienthepereon* 
alized access tick^ presented by the sender con- 
tains the vafidity perkid that has already been 
exp^ed. 

IQl.The computer usable mecfium of daim 96. wtierein 
tiie second computer readable program code 
means causes s^ computer to re^er in advance 
the peisonafized access ticket containing an kienti> 
f icafion of a specie user from w^Kch a deDvery of 
ema9s to a spedfic iBQistiant is to be refused as ttie 
senttefs idoitiflcation and €ffi identification of the 
specif re^strarrt as the redpienf s klentification. at 
the secure communk:ation service devk:8. and 
refuse a delivery of the »na3 from the sender when 
tiie persor^zed access tidoet presented t>y the 
sender is registered at the secure communication 
service devtoe in advance. 

102. The computer usable medum of dam 101, 
wherein flie second computer readable program 

oode me^is causes s^ computer to delete ifie 
personaKzed access tk^ registered at the seo^ e 
commumcation s&vk:e device upon request from 
the spedfk: regtsbanl who registered the personal- 
ized access ticket 

103. The computer usable medium of daim 96, wherein 
ttie personafized access ticket also contains a 
transfer control flag indicatirtg wfiether or not the 
sender shoi^ be ^jthenticated by the secure com- 
mtnication servce device, and ¥men the transfer 
comrol flag contained in the perscmlized access 
ticket indicates tf^ the sender s^HXild be auttienti- 
cated. the second conputer readable program 
code means causes said computer to authenticate 
the sender^s kJentification presented by the sender 
and refuse a delivery of tiie email when an authen- 
tication of the sender's Mentif ication fails. 

IM.The computer usat)ie medium of daim 103. 
wherein ttie second computer readable program 
oode means causes said computer to realize tiie 
authentication of tiie sender's identification by a 
challenge/response procedure between the sender 
and the secure communication service device. 
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ia5.The computer usable medium of daim 96, wherein 
the sender's identification and the recipient's identh 
ligation in the personalized access ticket are ^en 
by Einonynx)us identifications of the sender and the 
recipient where an anonymous idenlincation of 
each user contains at least one fragment of an offi- 
cial identif icalion of each user by which each use* is 
uniquely identifiable by a certification authority, and 
the second conputer readable program code 
means also causes said computer to protetKlisti- 
cally identify an identity of the sender by recon- 
structing the official identification of the sender by 
judging identity of a plurality of anonymous identif i- 
cations of the sender contained in a pturaff^ of per- 
sonal ized access t)d<^ used by the sender. 

106. The compute usat)le mecfium of daim 96. wheran 
an anonymous identificafion of each user that con- 
tains at least one fragment d an officiai identifica- 
tion of each user t)y which each user is uniquely 
identifisdble by a c^tification aufliority and a Imk 
inform a tion of each anonymous identification by 
which each anor^m'xxjs identification can be 
uniquely identified are defined, the sender^ identifi- 
cation and tiie redpierrt's identification in the per- 
sonalized access ticket are given try a link 
irtformatron of the arKwiymous idCTtiication of the 
sender and a link information of ti)e amyiymous 
identification of the recipient, and the second com- 
puter readable program code means also causes 
said computer to probstilisticaBy identify an identity 
of tiie sender by reconstructrtg the official ktentif i- 
cation of tiie sender t>y jud^ng ideitity of a plumltty 
of anonymoi^ kientif ications of the send»^ oorre- 
speeding to the link inlbrmation contained in a plu- 
rality of personalized access tickets used by the 
sender. 

107. The computer usat)le medium of daim 96. wherein 
when the access right of the sender with respect to 
the recipient is verified according to the perGonal- 
ized access ticket tiie second computer readable 
program code means causes saKi conrputer to take 
cut the recipient's identificatton from the personal- 
ized access ticket by using the sender's identifba- 
tion presented by the sender, convert the mil by 
using a taken out recipient's identification into a for- 
mat that can t>e i nterpreted tTy a ma3 transfer fmc- 
fion for actually carrying out a neil defivery 
processing, and give the mail after converskMi to 
the mail transfer functicMi by attaching tiie personal- 
ized aocess ticket. 

108. A computer usable mecBum Y&Anq conputer read- 
able program code means emboded therein for 
causing a c(»Tiputer to function as a secure 
processing device for use in a communication sys- 
tem realizing email aocess oontid, tiie ocmputer 



readstAe program code means includes: 

first computer readable program code means 
for causing said conputer to receive a request 
5 tor a pereonalized aocess ticket from a user; * 

and 

second computer readable program code 
means for causing said compute to issue the 
personafized aocess ticket containing a 
10 serxler*s identification and a recipienfs identifi- 

cation in oonrespondence. which is signed t>y a 
secret key of tie seciTO processing devica 

109.Aconputer usable medium havhig computer read- 
15 able pioyi ai ti code means errtedied therein for 
causing a computer to friction as a directory serv- 
ice devicer for use m a comnumication system real- 
izing email access oontrd. the oomputer readi6le 
program code means includes: 

20 

first computer readable pfogram code means 
for cau^ng ssBd conputer to manage an identi- 
fication of each registrant and adisctosed infor- 
mation of each re^strant wfik^h has a lowe' 
25 secre^ than a personal ffiformalksi^ in a state 

wt^ is aocessble for search by unspecified 
many, snd 

seoorvJ computer readable program code 
nrteans for causing said computer to issue a 

50 persorafized aoc ess tx#ket oontairwig a 

sender^ identification and a recip i e n ts identifi- 
cation in oonrespondenoet. to tie serxler in 
response to searOh conditions specffied tsy the 
smier. fay usmg an id e i Ugi c dii on of a registi ar i t 

35 whose dtsdosed information matches the 

search conditkjr^ as the neqpia^s idaitiftca- 
tion and the sender's identif ication specffied t)y 
the send^- aksng with the search conditions. 

40 1 10.A computer usable medium having oomputer read- 
me program code mears embodied therein for 
causing a computer to function as a certification 
authaity dance for use ni a communication system 
realizing emaa access control, the computer reada- 

45 deprogram code means indudes: 

first conputer readatile program code means 
f6r causing said computer to issue to each user 
an official identification of each user by whk:h 

so each uso^ is ui^udyidentifiabiet^ the certifi- 

cation auttiority devk:e: and 
second cornixjter roadaWe program code 
means for causing said computer to issue to 
each user an anonymous kfentification of each 

55 user wHch contains at least one fragment of 

the off idsd identification. 

1 11 .A computer usable medium havii^ computer read- 
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able program code means unbodied therein for 
causing a computer to lunc^on as a certirtcation 
authority device for use in a communication system 
realizing email access corrtroi. the conputer reada- 
ble program code means includes: 5 

first conputer readable program code means 
for causing said computer to issue to each user 
an identificatton of each user; and 
second oonputo* readable program code 10 
means for causing said computer to issue to 
each user an enabler of the identification of 
each user indicating a right to change any per- 
sonalized access ticket thai contains the Identi- 
fication of eeK;h user as a holder identification, is 
where ttie persnalized access ticket ger>eraliy 
contains a sender's identification and a piurafty 
of recipient's iderrtifications In corre^>ondence. 
and one of the sender's identification and the 
reci>ient*s Uentiftcations is a hokler kientifka- 20 
tioa 

112^ computer usable medium havmg computer read- 
able program oocte means embodied ther^ fbr 
causng a corrputer to function as a secure 2S 
processing dennce fbr use in a communication sys- 
i&fn realizing email access control, the coiip u tei 
readable program code means includes: 

first computer readable program code means so 
lor causing saki computer to receive from a 
user a recfuest for prescrSMd processing on a 
personalized access lk:ket containing a 
sender's kientif k^tfon and a plurality of recipt- 
ent's kientifkations in con-espondence. where ss 
one di the sender's k^entif icatk>n and tiie recip- 
ient's dentifications is a holder identification; 
and 

second conputer readable program code 
means for causing said computer to execute 40 
the prescribed processing on the personalized 
access ticket when tiie user presented both the 
tiotier identiffoation contained in the personal- 
ized access ticket and an en^ler correspond* 
ing to the holder kientification which indicates a 4S 
right to change the personafized access ticket 
containing the kientifk^alion of the user as the 
hotier identifnation. 
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